https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87000#M22210 <P>I have a record that shows multiple temperature readings of a device in a single record. Each "temp" has it's own unique field name. They all have in common *TempVal. I can do a bunch of commands that displays each field. I want to know which one is the max value, but none of the names are common.</P> <P>| stats max(*TempVal) gives a single line of each field.</P> <P>Sample record:<BR /> 1331154676 src_host="ACH_Dist" perfdata="SERVICEPERFDATA" name="Cisco Environment" severity="CRITICAL" attempt="3" statetype="HARD" executiontime="0.447" latency="9.234" reason="6 Fan OK, ps chassis-1 Power Supply 1, WS-CAC:notFunctioning , 48 temp OK : CRITICAL" result="Chassis1module9inlettemperaTempVal=25 Chassis1module9inlettemperaTempMax=70 Chassis1module1outlettemperTempVal=48 Chassis1module1outlettemperTempMax=90 Chassis1module2outlettemperTempVal=43 Chassis1module2outlettemperTempMax=90 Chassis1VTT3outlettemperatuTempVal=28 Chassis1VTT3outlettemperatuTempMax=115 Chassis2module4outlettemperTempVal=40 Chassis2module4outlettemperTempMax=85 Chassis1module4outlettemperTempVal=38 Chassis1module4outlettemperTempMax=85 Chassis1module2inlettemperaTempVal=24 Chassis1module2inlettemperaTempMax=65 Chassis2module5asic-4temperTempVal=56 Chassis2module5asic-4temperTempMax=110 Chassis2module7inlettemperaTempVal=29 Chassis2module7inlettemperaTempMax=70 Chassis1module5asic-4temperTempVal=52 Chassis1module5asic-4temperTempMax=110 Chassis2module7outlettemperTempVal=32 Chassis2module7outlettemperTempMax=85 Chassis2module6inlettemperaTempVal=25 Chassis2module6inlettemperaTempMax=70 Chassis1VTT1outlettemperatuTempVal=32 Chassis1VTT1outlettemperatuTempMax=115 Chassis1module5RPinlettempTempVal=32 Chassis1module5RPinlettempTempMax=65 Chassis1module4EARLinletteTempVal=26 Chassis1module4EARLinletteTempMax=75 Chassis1module9outlettemperTempVal=45 Chassis1module9outlettemperTempMax=100 Chassis2module9outlettemperTempVal=50 Chassis2module9outlettemperTempMax=100 Chassis1module5EARLoutlettTempVal=31 Chassis1module5EARLoutlettTempMax=75 Chassis2module4EARLinletteTempVal=30 Chassis2module4EARLinletteTempMax=75 Chassis2module2inlettemperaTempVal=26 Chassis2module2inlettemperaTempMax=65 Chassis2module5EARLinletteTempVal=27 Chassis2module5EARLinletteTempMax=65 Chassis1module4inlettemperaTempVal=28 Chassis1module4inlettemperaTempMax=65 Chassis1module5inlettemperaTempVal=24 Chassis1module5inlettemperaTempMax=80 Chassis2module7device-1tempTempVal=27 Chassis2module7device-1tempTempMax=70 Chassis2module1outlettemperTempVal=49 Chassis2module1outlettemperTempMax=90 Chassis1module5asic-3temperTempVal=39 Chassis1module5asic-3temperTempMax=110 Chassis2module1inlettemperaTempVal=26 Chassis2module1inlettemperaTempMax=65 Chassis2VTT2outlettemperatuTempVal=31 Chassis2VTT2outlettemperatuTempMax=115 Chassis2module5RPinlettempTempVal=32 Chassis2module5RPinlettempTempMax=65 Chassis2module5inlettemperaTempVal=24 Chassis2module5inlettemperaTempMax=80 Chassis2module4inlettemperaTempVal=30 Chassis2module4inlettemperaTempMax=65 Chassis2module6outlettemperTempVal=40 Chassis2module6outlettemperTempMax=100 Chassis2VTT3outlettemperatuTempVal=26 Chassis2VTT3outlettemperatuTempMax=115 Chassis2module9inlettemperaTempVal=24 Chassis2module9inlettemperaTempMax=70 Chassis2module5EARLoutlettTempVal=32 Chassis2module5EARLoutlettTempMax=75 Chassis1module5outlettemperTempVal=35 Chassis1module5outlettemperTempMax=85 Chassis2module5outlettemperTempVal=36 Chassis2module5outlettemperTempMax=85 Chassis1VTT2outlettemperatuTempVal=26 Chassis1VTT2outlettemperatuTempMax=115 Chassis1module5RPoutlettemTempVal=31 Chassis1module5RPoutlettemTempMax=65 Chassis2module7device-2tempTempVal=30 Chassis2module7device-2tempTempMax=75 Chassis2module4EARLoutlettTempVal=32 Chassis2module4EARLoutlettTempMax=80 Chassis1module1inlettemperaTempVal=24 Chassis1module1inlettemperaTempMax=65 Chassis2module2outlettemperTempVal=44 Chassis2module2outlettemperTempMax=90 Chassis1module4EARLoutlettTempVal=30 Chassis1module4EARLoutlettTempMax=80 Chassis2module5RPoutlettemTempVal=32 Chassis2module5RPoutlettemTempMax=65 Chassis1module5EARLinletteTempVal=24 Chassis1module5EARLinletteTempMax=65 Chassis2VTT1outlettemperatuTempVal=28 Chassis2VTT1outlettemperatuTempMax=115 Chassis2module5asic-3temperTempVal=40 Chassis2module5asic-3temperTempMax=110" </P> Mon, 28 Sep 2020 11:29:23 GMT paganom 2020-09-28T11:29:23Z https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87000#M22210 <P>I have a record that shows multiple temperature readings of a device in a single record. Each "temp" has it's own unique field name. They all have in common *TempVal. I can do a bunch of commands that displays each field. I want to know which one is the max value, but none of the names are common.</P> <P>| stats max(*TempVal) gives a single line of each field.</P> <P>Sample record:<BR /> 1331154676 src_host="ACH_Dist" perfdata="SERVICEPERFDATA" name="Cisco Environment" severity="CRITICAL" attempt="3" statetype="HARD" executiontime="0.447" latency="9.234" reason="6 Fan OK, ps chassis-1 Power Supply 1, WS-CAC:notFunctioning , 48 temp OK : CRITICAL" result="Chassis1module9inlettemperaTempVal=25 Chassis1module9inlettemperaTempMax=70 Chassis1module1outlettemperTempVal=48 Chassis1module1outlettemperTempMax=90 Chassis1module2outlettemperTempVal=43 Chassis1module2outlettemperTempMax=90 Chassis1VTT3outlettemperatuTempVal=28 Chassis1VTT3outlettemperatuTempMax=115 Chassis2module4outlettemperTempVal=40 Chassis2module4outlettemperTempMax=85 Chassis1module4outlettemperTempVal=38 Chassis1module4outlettemperTempMax=85 Chassis1module2inlettemperaTempVal=24 Chassis1module2inlettemperaTempMax=65 Chassis2module5asic-4temperTempVal=56 Chassis2module5asic-4temperTempMax=110 Chassis2module7inlettemperaTempVal=29 Chassis2module7inlettemperaTempMax=70 Chassis1module5asic-4temperTempVal=52 Chassis1module5asic-4temperTempMax=110 Chassis2module7outlettemperTempVal=32 Chassis2module7outlettemperTempMax=85 Chassis2module6inlettemperaTempVal=25 Chassis2module6inlettemperaTempMax=70 Chassis1VTT1outlettemperatuTempVal=32 Chassis1VTT1outlettemperatuTempMax=115 Chassis1module5RPinlettempTempVal=32 Chassis1module5RPinlettempTempMax=65 Chassis1module4EARLinletteTempVal=26 Chassis1module4EARLinletteTempMax=75 Chassis1module9outlettemperTempVal=45 Chassis1module9outlettemperTempMax=100 Chassis2module9outlettemperTempVal=50 Chassis2module9outlettemperTempMax=100 Chassis1module5EARLoutlettTempVal=31 Chassis1module5EARLoutlettTempMax=75 Chassis2module4EARLinletteTempVal=30 Chassis2module4EARLinletteTempMax=75 Chassis2module2inlettemperaTempVal=26 Chassis2module2inlettemperaTempMax=65 Chassis2module5EARLinletteTempVal=27 Chassis2module5EARLinletteTempMax=65 Chassis1module4inlettemperaTempVal=28 Chassis1module4inlettemperaTempMax=65 Chassis1module5inlettemperaTempVal=24 Chassis1module5inlettemperaTempMax=80 Chassis2module7device-1tempTempVal=27 Chassis2module7device-1tempTempMax=70 Chassis2module1outlettemperTempVal=49 Chassis2module1outlettemperTempMax=90 Chassis1module5asic-3temperTempVal=39 Chassis1module5asic-3temperTempMax=110 Chassis2module1inlettemperaTempVal=26 Chassis2module1inlettemperaTempMax=65 Chassis2VTT2outlettemperatuTempVal=31 Chassis2VTT2outlettemperatuTempMax=115 Chassis2module5RPinlettempTempVal=32 Chassis2module5RPinlettempTempMax=65 Chassis2module5inlettemperaTempVal=24 Chassis2module5inlettemperaTempMax=80 Chassis2module4inlettemperaTempVal=30 Chassis2module4inlettemperaTempMax=65 Chassis2module6outlettemperTempVal=40 Chassis2module6outlettemperTempMax=100 Chassis2VTT3outlettemperatuTempVal=26 Chassis2VTT3outlettemperatuTempMax=115 Chassis2module9inlettemperaTempVal=24 Chassis2module9inlettemperaTempMax=70 Chassis2module5EARLoutlettTempVal=32 Chassis2module5EARLoutlettTempMax=75 Chassis1module5outlettemperTempVal=35 Chassis1module5outlettemperTempMax=85 Chassis2module5outlettemperTempVal=36 Chassis2module5outlettemperTempMax=85 Chassis1VTT2outlettemperatuTempVal=26 Chassis1VTT2outlettemperatuTempMax=115 Chassis1module5RPoutlettemTempVal=31 Chassis1module5RPoutlettemTempMax=65 Chassis2module7device-2tempTempVal=30 Chassis2module7device-2tempTempMax=75 Chassis2module4EARLoutlettTempVal=32 Chassis2module4EARLoutlettTempMax=80 Chassis1module1inlettemperaTempVal=24 Chassis1module1inlettemperaTempMax=65 Chassis2module2outlettemperTempVal=44 Chassis2module2outlettemperTempMax=90 Chassis1module4EARLoutlettTempVal=30 Chassis1module4EARLoutlettTempMax=80 Chassis2module5RPoutlettemTempVal=32 Chassis2module5RPoutlettemTempMax=65 Chassis1module5EARLinletteTempVal=24 Chassis1module5EARLinletteTempMax=65 Chassis2VTT1outlettemperatuTempVal=28 Chassis2VTT1outlettemperatuTempMax=115 Chassis2module5asic-3temperTempVal=40 Chassis2module5asic-3temperTempMax=110" </P> Mon, 28 Sep 2020 11:29:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87000#M22210 paganom 2020-09-28T11:29:23Z https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87001#M22211 <PRE> | rex max_match=100 "Chassis\w+TempVal=(?&lt;TempVal&gt;\d+)" | stats max(TempVal) </PRE> Thu, 08 Mar 2012 06:52:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87001#M22211 Masa 2012-03-08T06:52:16Z https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87002#M22212 <P>Thanks. Just what I was looking for.</P> Thu, 08 Mar 2012 14:28:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-max-value-of-multiple-fields-in-one-record/m-p/87002#M22212 paganom 2012-03-08T14:28:27Z