Solved: Get max version value based on another column

johnnykhoueiry · ‎08-09-2020

Hello,

how to get maxstats based on another col

Thank you!

to4kawa · ‎08-09-2020

index="my_index" sourcetype="version"
| stats count(deviceId) as countDevicesPerVersion by version
| eval PercentagesPerVersion=round((countDevicesPerVersion*100)/1152,2)
| rex field=version "(?<generation>\w\d)"
| table version, PercentagesPerVersion, generation
| eventstats max(PercentagesPerVersion) as max_perc values(generation) as gen by generation
| where gen=generation AND max_perc=PercentagesPerVersion
| eval versionNumber=replace(version,"R", "")
| sort - versionNumber
| fields - versionNumber gen max_perc
| table version PercentagesPerVersion

eventstats is useful.

View solution in original post

to4kawa · ‎08-09-2020

index="my_index" sourcetype="version"
| stats count(deviceId) as countDevicesPerVersion by version
| eval PercentagesPerVersion=round((countDevicesPerVersion*100)/1152,2)
| rex field=version "(?<generation>\w\d)"
| table version, PercentagesPerVersion, generation
| eventstats max(PercentagesPerVersion) as max_perc values(generation) as gen by generation
| where gen=generation AND max_perc=PercentagesPerVersion
| eval versionNumber=replace(version,"R", "")
| sort - versionNumber
| fields - versionNumber gen max_perc
| table version PercentagesPerVersion

eventstats is useful.

impurush · ‎08-09-2020

You can add the below line by replacing your comment(//Add something here)

|stats max(PercentagesPerVersion) by generation,version

this will give the results like.

generation

version

max(PercentagesPerVersion)

Get max version value based on another column

chart

table

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?