topic How to get stats max count of a field by another field? in Splunk Search

How to get stats max count of a field by another field?

bijodev1 — Wed, 02 Mar 2022 23:40:08 GMT

Hi There, I am looking to produce an output where the field with maximum count is display based on another field.

for, eg I am looking something command like

| stats max(count(errors) by status

time status errors count

What I am looking for is the max count each status and error

time status errors count

I tried many thing but with no luck, if someone could help with this.

somesoni2 — Wed, 02 Mar 2022 13:00:27 GMT

Try something like this

Your base search which gives fields _time status errors count | eventstats max(count) as max by status errors | where count=max | fields -max

ITWhisperer — Wed, 02 Mar 2022 13:04:19 GMT

It looks like there is a one-to-one relationship between status and errors, so would this work?

| stats max(count) as count values(errors) as errors max(time) as time by status

bijodev1 — Wed, 02 Mar 2022 16:28:52 GMT

thank you everyone.

Took me sometime , But this one worked for me

my search
| stats count by _time status errors
| sort -count
| dedup _time status
| sort _time