Solved: Re: Get max version value based on another column

johnnykhoueiry · ‎08-09-2020

Hello,

how to get maxstats based on another col

Thank you!

to4kawa · ‎08-09-2020

index="my_index" sourcetype="version"
| stats count(deviceId) as countDevicesPerVersion by version
| eval PercentagesPerVersion=round((countDevicesPerVersion*100)/1152,2)
| rex field=version "(?<generation>\w\d)"
| table version, PercentagesPerVersion, generation
| eventstats max(PercentagesPerVersion) as max_perc values(generation) as gen by generation
| where gen=generation AND max_perc=PercentagesPerVersion
| eval versionNumber=replace(version,"R", "")
| sort - versionNumber
| fields - versionNumber gen max_perc
| table version PercentagesPerVersion

eventstats is useful.

View solution in original post

to4kawa · ‎08-09-2020

index="my_index" sourcetype="version"
| stats count(deviceId) as countDevicesPerVersion by version
| eval PercentagesPerVersion=round((countDevicesPerVersion*100)/1152,2)
| rex field=version "(?<generation>\w\d)"
| table version, PercentagesPerVersion, generation
| eventstats max(PercentagesPerVersion) as max_perc values(generation) as gen by generation
| where gen=generation AND max_perc=PercentagesPerVersion
| eval versionNumber=replace(version,"R", "")
| sort - versionNumber
| fields - versionNumber gen max_perc
| table version PercentagesPerVersion

eventstats is useful.

impurush · ‎08-09-2020

You can add the below line by replacing your comment(//Add something here)

|stats max(PercentagesPerVersion) by generation,version

this will give the results like.

generation

version

max(PercentagesPerVersion)

Get max version value based on another column

chart

table

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation