Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display the rows which has one single value more than 2

sangs8788
Communicator
‎05-19-2020 04:37 AM

Hi,

I have a query which displays the resultset as below,

alt text

I would like to get the Module which has gone more than 2s in any of the month. In the above screenshot, I need DocumentExchange to be resulted since it exceeded one of the month more than 2 s.

How do I achieve this? I tried to do | foreach *2020 [convert num(<<FIELD>>) as <<FIELD>> | search <<FIELD>>>2] But this results Module which were more than 2s in all the three months. How do i rewrite the query so that it lists Module which exceeds 2s even in any one of the month?

Please advise.
Thanks

using Max brings the max of fieldname and not the value

![alt text][2]

Labels (1)
Labels
Tags (1)
Preview file
275 KB
Preview file
99 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎05-19-2020 04:54 AM

@sangs8788, Try below for each command to get maximum value then compare it with 2.

...|  foreach *2020
   [ eval max = max('<<FIELD>>') ]|where max>2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎05-19-2020 04:54 AM

@sangs8788, Try below for each command to get maximum value then compare it with 2.

...|  foreach *2020
   [ eval max = max('<<FIELD>>') ]|where max>2
0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎05-26-2020 12:02 AM

@493669

It is not providing the max value instead for all the rows it takes max of fields name and not field value.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎05-26-2020 12:05 AM

provide your sample data ,what is expected result and what it is returning using above query.

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎05-26-2020 12:39 AM

I have updated my query with the screenshot. As you can see, Mar-2020 is taken as the max field

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎05-26-2020 01:26 AM

Try this-

...| foreach *2020 
    [ eval Max=case(Max>='<<FIELD>>',Max,true(),'<<FIELD>>') ]
0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎05-26-2020 01:45 AM

ok you are doing a compare of the max with each and every field. Got it. This should ideally work.

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎05-26-2020 01:53 AM

This Works. Thanks a lot

0 Karma
Reply
Solved! Jump to solution

sangs8788
Communicator
‎05-19-2020 05:06 AM

That works. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...