Hi,
I have a query which displays the resultset as below,
I would like to get the Module which has gone more than 2s in any of the month. In the above screenshot, I need DocumentExchange to be resulted since it exceeded one of the month more than 2 s.
How do I achieve this? I tried to do | foreach *2020 [convert num(<<FIELD>>) as <<FIELD>> | search <<FIELD>>>2]
But this results Module which were more than 2s in all the three months. How do i rewrite the query so that it lists Module which exceeds 2s even in any one of the month?
Please advise.
Thanks
using Max brings the max of fieldname and not the value
@sangs8788, Try below for each command to get maximum value then compare it with 2.
...| foreach *2020
[ eval max = max('<<FIELD>>') ]|where max>2
@sangs8788, Try below for each command to get maximum value then compare it with 2.
...| foreach *2020
[ eval max = max('<<FIELD>>') ]|where max>2
@493669
It is not providing the max value instead for all the rows it takes max of fields name and not field value.
provide your sample data ,what is expected result and what it is returning using above query.
I have updated my query with the screenshot. As you can see, Mar-2020 is taken as the max field
Try this-
...| foreach *2020
[ eval Max=case(Max>='<<FIELD>>',Max,true(),'<<FIELD>>') ]
ok you are doing a compare of the max with each and every field. Got it. This should ideally work.
This Works. Thanks a lot
That works. Thanks