https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88074#M22515 <P>What was the other way that you ended up using?</P> Wed, 06 Jun 2012 23:01:07 GMT richprescott 2012-06-06T23:01:07Z https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88071#M22512 <P>I am looking at maximum processor usage by specific processes on a group of clients. By using stats max on my data (which contains host, instance, and % Processor Time fields), I can pull the max % Processor time that a given process reached on any client in the group. Is there a way to get Splunk to tell me which host (or record) that maximum came from? Ideally I'd like to be able to mouse over the entry in a bar graph and have it tell me something like "iexplore: 99%, host: foo1".</P> Thu, 08 Mar 2012 19:05:11 GMT https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88071#M22512 cphair 2012-03-08T19:05:11Z https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88072#M22513 <P>Yes, you can do this using the "sort" command, supposing the processor time is in a field called <CODE>% Processor Time</CODE>:</P> <PRE><CODE>... | sort - "% Processor Time" | head 1 | table host instance "% Processor Time" </CODE></PRE> <P>Now, you can make this more interesting by looking at the top per host:</P> <PRE><CODE>... | dedup host sortby - "% Processor Time" | table host instance "% Processor Time" </CODE></PRE> Fri, 09 Mar 2012 03:04:35 GMT https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88072#M22513 Stephen_Sorkin 2012-03-09T03:04:35Z https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88073#M22514 <P>I ended up doing this another way, but I think this works too, so I'll mark it up. Thanks.</P> Mon, 12 Mar 2012 17:34:01 GMT https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88073#M22514 cphair 2012-03-12T17:34:01Z https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88074#M22515 <P>What was the other way that you ended up using?</P> Wed, 06 Jun 2012 23:01:07 GMT https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88074#M22515 richprescott 2012-06-06T23:01:07Z https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88075#M22516 <P>I used stats to split out the max by each host and instance, then used eval to create a new field (eval hostInstance = instance . ":" . host), then displayed the max value with the conjoined field. Inelegant but functional.</P> <P>I think this is the way to go, though:<BR /> <PRE><CODE><BR /> ...| stats max(Value) as Max by instance,host | dedup instance sortby -Max<BR /> </CODE></PRE><BR /> Still have to mess with numbered instances and case-sensitivity, but it's less ugly. Also, if you want to keep the top X readings per instance instead of the top 1, you can say "dedup X instance sortby -Max".</P> Thu, 07 Jun 2012 12:28:46 GMT https://community.splunk.com/t5/Splunk-Search/Finding-additional-info-about-a-value-returned-by-max/m-p/88075#M22516 cphair 2012-06-07T12:28:46Z