Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get max value from each columns that are cr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search query | timechart span=1m count by A1
the above query gives me below output:
_time column1 column2 column3
2018-05-25 10:20:05 1 1 0
2018-05-25 10:09:39 4 0 0
2018-05-25 10:27:16 0 2 2
2018-05-25 10:22:06 1 1 1
2018-05-25 10:12:45 1 1 2
2018-05-25 10:25:07 1 1 3
No of columns depends on the time range we choose(i.e) sometimes 3 columns and sometimes 6 columns and so on..
So if the above is my scenario, how I can find max values from each column and their _time value.
My expected output is:
_time column1 column2 column3
2018-05-25 10:09:39 4 0 0
2018-05-25 10:27:16 0 2 2
2018-05-25 10:25:07 1 1 3
so out main aim here is, how we can find max value of columns created dynamically.
Please help me out. I'm struggling with my task.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@maniu1609, try the following search:
<yourBaseSearch>
| bin _time span=1m
| stats count by _time A1
| eventstats max(count) as Maximum by A1
| where count=Maximum
PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
search query | timechart span=1m count by A1
| eventstats max(*) as max*
| eval keep="N"
| foreach max* [| eval keep=if('<<FIELD>>'='<<MATCHSTR>>',"Y",keep) ]
| where keep="Y" | fields - max* keep
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it also works for me!!. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@maniu1609, try the following search:
<yourBaseSearch>
| bin _time span=1m
| stats count by _time A1
| eventstats max(count) as Maximum by A1
| where count=Maximum
PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works great!!. Thanks!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
