Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Events with maximum value of dynamic field

mmclain1
Explorer
‎02-10-2013 02:40 PM

I think I'm missing something. I have rex generating a new field for me. I want to return only events with the maximum value for that field. Let's say the field is called testfield and the possible values for that field are 1, 2, or 3. I want to return only events with testfield=3. However, this will be in a dashboard and the next time it runs, the max value could be 4. How do I do this?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-10-2013 09:24 PM

Here's something that should work for you. 

<your searchterms> | eventstats  max(testfield) as max | where testfield=max | fields - max

eventstats works much like its bigger brother stats, except that it paints its statistics back onto the original rows that were input, rather than aggregating/transforming the set. This generally means that it puts its stats back on the 'events' (although not necessarily - you can get good use out of eventstats further down the search pipeline sometimes too)

And if you're not actually interested in just the raw event text, but rather in one or more fields that are on those events, then a more straightforward way might be to do this: 

<your searchterms> | stats max(someField) values(someOtherField) avg(someThirdField) by testField | sort - testField | head 1

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-10-2013 09:24 PM

Here's something that should work for you. 

<your searchterms> | eventstats  max(testfield) as max | where testfield=max | fields - max

eventstats works much like its bigger brother stats, except that it paints its statistics back onto the original rows that were input, rather than aggregating/transforming the set. This generally means that it puts its stats back on the 'events' (although not necessarily - you can get good use out of eventstats further down the search pipeline sometimes too)

And if you're not actually interested in just the raw event text, but rather in one or more fields that are on those events, then a more straightforward way might be to do this: 

<your searchterms> | stats max(someField) values(someOtherField) avg(someThirdField) by testField | sort - testField | head 1
Reply
Solved! Jump to solution

mmclain1
Explorer
‎02-11-2013 04:11 PM

Perfect, that's exactly what I was trying to figure out how to do! Thanks!

0 Karma
Reply
Solved! Jump to solution

rodrigo_santos
Explorer
‎08-01-2016 07:11 AM

Great... 😄

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...