Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out the event with max duration?

chhawu
New Member
‎10-27-2016 07:23 PM

How to find out the event with max duration?
I used command transaction to group events and I want to find out the event with max duration.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎10-27-2016 11:35 PM

Details are unknown, but ...
・・・・|transaction ・・・・|stats max(duration)
OR
・・・・|transaction ・・・・|sort -duration|head 1

View solution in original post

0 Karma
Reply
Solved! Jump to solution

akocak
Contributor
‎03-08-2018 10:25 AM

Selected answer correct for if you have one field name, for multiple similarly I use:

|sort - duration
|dedup field_name
0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎10-27-2016 11:35 PM

Details are unknown, but ...
・・・・|transaction ・・・・|stats max(duration)
OR
・・・・|transaction ・・・・|sort -duration|head 1

0 Karma
Reply
Solved! Jump to solution

chhawu
New Member
‎10-28-2016 07:42 AM

You are right ! I try to search with second search script to get the longest transaction,but is there any way to show column one "max(duration)" and column two _raw at once?

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎10-28-2016 08:32 AM

Instead of doing the ... | head 1, try instead using the limit=<number> parameter of the sort. Then to make it pretty or include other fields, use the table command.

... | transaction ...stuff...  |table duration, _raw  | sort limit=1 - duration

Give that a shot and see if it works for you.

Happy Splunking!
Rich

Reply
Solved! Jump to solution

chhawu
New Member
‎10-31-2016 07:48 PM

Hi Rich

Thanks ! I am going to modify my search script base on your suggestion.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...