Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can any one help to understand & use of below command in eval

maheshsat
Explorer
‎03-16-2018 08:53 PM

Can any one help to understand & use of below command in eval
index=_internal | eval Mahesh=max(1, 3, 6, 7, "foo", field)

Tags (1)
0 Karma
Reply

niketn
Legend
‎03-16-2018 09:30 PM

@maheshsat, please add a context as to why and where is this being applied. What are the typical values in field? Is it numeric or string?

Max will pull the highest in the list. Other way to analyze would be of you reverse sorted values, which value will be the first.

| makeresults 
| eval field=1000 
| map search="| makeresults
| eval data=\"1,3,6,179,foo,$field$\"" 
| makemv data delim="," 
| mvexpand data 
| sort - data 
| head 1

PS: Take out head 1 command o see ranking of each values. Also change field value to its max value(string or number) to be added to the query.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...