Hi all,
I'm trying to get the hang of Splunk and was stuck somewhere (who wasn't? :). I did search other topics to no avail.
I have events that contain stats from more than one device in a system, such as a bunch of battery voltages. Sample fields from an event could be:
Timestamp, BAT0Voltage, BAT1Voltage, BAT2Voltage, BAT3Voltage
I'm trying to include the BATxVoltage field with the largest value in a dashboard single-value panel. So I would see 566 Volts in the panel for the following sample event:
$Timestamp, 566, 543, 512, 499
But the dashboard would show 593 from this one:
$Timestamp, 566, 543, 593, 496
See, BAT0Voltage was selected in the first event, but BAT2Voltage is selected in the second as it has the largest value in a string of fields.
Thanks in advance to anyone with any ideas (working or not!).
Hi @emirhand ,
The answer provided by @richgalloway works and provides a table of maximum values. However, if you're looking for a single value for a particular device to display on a dashboard, you might try this:
| makeresults
| eval _time=now(), device="UPS001", BAT0Voltage=521, BAT1Voltage=500, BAT2Voltage=509, BAT3Voltage=593
| stats latest(BAT*) as BAT* by device
| where device="UPS001"
| table BAT*
| transpose
| stats max("row 1") as MaxVoltage
Thank you both. I think answer by @jnudell_2 fits better for my purposes, and @richgalloway's answer is archived to use for a better fit in the future. 🙂
Hi @emirhand ,
The answer provided by @richgalloway works and provides a table of maximum values. However, if you're looking for a single value for a particular device to display on a dashboard, you might try this:
| makeresults
| eval _time=now(), device="UPS001", BAT0Voltage=521, BAT1Voltage=500, BAT2Voltage=509, BAT3Voltage=593
| stats latest(BAT*) as BAT* by device
| where device="UPS001"
| table BAT*
| transpose
| stats max("row 1") as MaxVoltage
This run-anywhere example shows one way to do that.
| makeresults annotate=t | eval BAT0Voltage=521, BAT1Voltage=500, BAT2Voltage=509, BAT3Voltage=593 | eval MaxVoltage=0 | foreach BAT*Voltage [eval MaxVoltage=if('<<FIELD>>' > MaxVoltage, '<<FIELD>>', MaxVoltage)] | table MaxVoltage