https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21549#M3543 <P>Ah, geez. Answered it myself. </P> <P>| dedup Site</P> <P>I knew it was too easy.</P> Wed, 01 May 2013 22:00:40 GMT tnkoehn 2013-05-01T22:00:40Z https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21548#M3542 <P>I currently have a search that gives me the top counts by time and site. For example, I might get the following results:</P> <PRE><CODE>Date Site Count 2013-05-01 14:25:00 den01 5729 2013-05-01 14:27:00 den01 5727 2013-05-01 14:12:00 oma01 5698 2013-05-01 14:00:00 den01 5663 2013-05-01 14:04:00 oma01 3961 2013-05-01 14:03:00 atl01 3870 2013-05-01 15:02:00 den01 3666 2013-05-01 14:05:00 oma01 3588 2013-05-01 14:04:00 atl01 2559 2013-05-01 14:03:00 oma01 2554 </CODE></PRE> <P>However, I only want the top results per site. Like this:</P> <PRE><CODE>Date Site Count 2013-05-01 14:25:00 den01 5729 2013-05-01 14:12:00 oma01 5698 2013-05-01 14:03:00 atl01 3870 </CODE></PRE> <P>I'm not sure how to do this. Any help would be greatly appreciated. Thanks!</P> Wed, 01 May 2013 21:48:02 GMT https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21548#M3542 tnkoehn 2013-05-01T21:48:02Z https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21549#M3543 <P>Ah, geez. Answered it myself. </P> <P>| dedup Site</P> <P>I knew it was too easy.</P> Wed, 01 May 2013 22:00:40 GMT https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21549#M3543 tnkoehn 2013-05-01T22:00:40Z https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21550#M3544 <P>dedup may work but that depend on sort.<BR /> ...|fields Date, Site, Count | stats max(Count) as Count by Site | table Date, Site, Count</P> Wed, 01 May 2013 22:07:22 GMT https://community.splunk.com/t5/Splunk-Search/Max-values-per-unique-field-name/m-p/21550#M3544 bmacias84 2013-05-01T22:07:22Z