Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get max value from each columns that are cr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maniu1609
Path Finder
05-25-2018
04:31 AM
search query | timechart span=1m count by A1
the above query gives me below output:
_time column1 column2 column3
2018-05-25 10:20:05 1 1 0
2018-05-25 10:09:39 4 0 0
2018-05-25 10:27:16 0 2 2
2018-05-25 10:22:06 1 1 1
2018-05-25 10:12:45 1 1 2
2018-05-25 10:25:07 1 1 3
No of columns depends on the time range we choose(i.e) sometimes 3 columns and sometimes 6 columns and so on..
So if the above is my scenario, how I can find max values from each column and their _time value.
My expected output is:
_time column1 column2 column3
2018-05-25 10:09:39 4 0 0
2018-05-25 10:27:16 0 2 2
2018-05-25 10:25:07 1 1 3
so out main aim here is, how we can find max value of columns created dynamically.
Please help me out. I'm struggling with my task.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-25-2018
09:59 AM
@maniu1609, try the following search:
<yourBaseSearch>
| bin _time span=1m
| stats count by _time A1
| eventstats max(count) as Maximum by A1
| where count=Maximum
PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-25-2018
10:58 AM
Try something like this
search query | timechart span=1m count by A1
| eventstats max(*) as max*
| eval keep="N"
| foreach max* [| eval keep=if('<<FIELD>>'='<<MATCHSTR>>',"Y",keep) ]
| where keep="Y" | fields - max* keep
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maniu1609
Path Finder
05-29-2018
04:18 AM
it also works for me!!. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-25-2018
09:59 AM
@maniu1609, try the following search:
<yourBaseSearch>
| bin _time span=1m
| stats count by _time A1
| eventstats max(count) as Maximum by A1
| where count=Maximum
PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maniu1609
Path Finder
05-29-2018
04:18 AM
It works great!!. Thanks!!
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
