Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a table with max and sum values

HelloItsMe76
Explorer
‎07-14-2022 08:27 AM

I have a table like the below

 

Category   | Time |  Count of string

A | t-5mins | 18

A | t-10mins | 7

A | t-15mins | 10

A | t-20 mins | 1

B | t-5mins | 6

B | t-10 mins | 18

 

I would like to create a table with the latest (max) time and the sum of the count by category so that i get this

 

Category   | Max Time |  Sum

A | t-5mins |  36

B | T-5mins | 24

 

I can get the max time and the sum individually into a table but am having issues getting them both into 1 table -  the time and sum values are coming up blank. 

Can someone advise please?

 

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-14-2022 08:37 AM

Have you tried something like this?

| stats max(time) as maxTime sum(count) as sum by Category
0 Karma
Reply

HelloItsMe76
Explorer
‎07-14-2022 08:46 AM

Hey, thanks for the response.  yes i have and it returns the correct data for the 2 fields but it doesnt pass in the Category field which i need. How can i get all 3 fields?

0 Karma
Reply

HelloItsMe76
Explorer
‎07-14-2022 08:47 AM

actually it did work. i had been using 'by Category' on both fields. thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...