My search:
|timechart span=1s sum(bit) by dst
Result table:
_time,1.1.1.1,2.2.2.2,3.3.3.3
090000,300,300,300
090001,200,200,500
090002,100,400,400
I want the table(displaying the time and the value when sum(bit) is biggest):
1.1.1.1,2.2.2.2,3.3.3.3
090000,090002,090001
300,400,500
or
dst,time,sum(bit)
1.1.1.1,090000,300
2.2.2.2,090002,400
3.3.3.3,090001,500
How can I transform the table?
Try like this
your base search | bucket span=1s _time | stats sum(bit) as bit by _time dst | eventstats max(bit) as max by dst | where bit=max | table dst _time bit
Thanks somesoni2
I could do it!
Try this
... | bin span=1s _time | stats sum(bit) as s by dst _time | stats values(dst) as dst max(s) bits by _time | table dst _time bits
Thanks sundareshr!
But I need the biggest value for each "DST".