Solved: Re: Get max version value based on another column

johnnykhoueiry · ‎08-09-2020

Hello,

how to get maxstats based on another col

Thank you!

to4kawa · ‎08-09-2020

index="my_index" sourcetype="version"
| stats count(deviceId) as countDevicesPerVersion by version
| eval PercentagesPerVersion=round((countDevicesPerVersion*100)/1152,2)
| rex field=version "(?<generation>\w\d)"
| table version, PercentagesPerVersion, generation
| eventstats max(PercentagesPerVersion) as max_perc values(generation) as gen by generation
| where gen=generation AND max_perc=PercentagesPerVersion
| eval versionNumber=replace(version,"R", "")
| sort - versionNumber
| fields - versionNumber gen max_perc
| table version PercentagesPerVersion

eventstats is useful.

View solution in original post

to4kawa · ‎08-09-2020

index="my_index" sourcetype="version"
| stats count(deviceId) as countDevicesPerVersion by version
| eval PercentagesPerVersion=round((countDevicesPerVersion*100)/1152,2)
| rex field=version "(?<generation>\w\d)"
| table version, PercentagesPerVersion, generation
| eventstats max(PercentagesPerVersion) as max_perc values(generation) as gen by generation
| where gen=generation AND max_perc=PercentagesPerVersion
| eval versionNumber=replace(version,"R", "")
| sort - versionNumber
| fields - versionNumber gen max_perc
| table version PercentagesPerVersion

eventstats is useful.

impurush · ‎08-09-2020

You can add the below line by replacing your comment(//Add something here)

|stats max(PercentagesPerVersion) by generation,version

this will give the results like.

generation

version

max(PercentagesPerVersion)

Get max version value based on another column

chart

table

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application