HI
So I have this dashboard showing the below.
HBSS ACAS CMRSACAS CMRSHBSS
89 92 84 77
MY question is how do I get the dashboard to show ONLY the highest count for the day. Since the dashboard are updated daily? Any help will be fantastic.
Thanks
It would be helpful if you could share some of your upstream SPL (and maybe even some sample data). This might help us to generate efficient SPL for your use-case.
That being said, here is a way to convert the table you provided into the largest device count.
| transpose column_name=devices
| rename "row 1" as count
| eventstats max(count) as max_count
| where count=max_count
This has the ability to return multiple rows if they have the largest count in common. You could use | head 1 after to limit it to one result.
It would be helpful if you could share some of your upstream SPL (and maybe even some sample data). This might help us to generate efficient SPL for your use-case.
That being said, here is a way to convert the table you provided into the largest device count.
| transpose column_name=devices
| rename "row 1" as count
| eventstats max(count) as max_count
| where count=max_count
This has the ability to return multiple rows if they have the largest count in common. You could use | head 1 after to limit it to one result.
Hi @Tom_Lundie
So I figure it out and replace the individual search with
|search system_id=$system_id$
| transpose column_name=devices
| rename "row 2" as count
| eventstats max(count) as max_count
| where count=max_count
| table max_count
| head 1
Thank you very much