Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get max value from each columns that are cr...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maniu1609
Path Finder
05-25-2018
04:31 AM
search query | timechart span=1m count by A1
the above query gives me below output:
_time column1 column2 column3
2018-05-25 10:20:05 1 1 0
2018-05-25 10:09:39 4 0 0
2018-05-25 10:27:16 0 2 2
2018-05-25 10:22:06 1 1 1
2018-05-25 10:12:45 1 1 2
2018-05-25 10:25:07 1 1 3
No of columns depends on the time range we choose(i.e) sometimes 3 columns and sometimes 6 columns and so on..
So if the above is my scenario, how I can find max values from each column and their _time value.
My expected output is:
_time column1 column2 column3
2018-05-25 10:09:39 4 0 0
2018-05-25 10:27:16 0 2 2
2018-05-25 10:25:07 1 1 3
so out main aim here is, how we can find max value of columns created dynamically.
Please help me out. I'm struggling with my task.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-25-2018
09:59 AM
@maniu1609, try the following search:
<yourBaseSearch>
| bin _time span=1m
| stats count by _time A1
| eventstats max(count) as Maximum by A1
| where count=Maximum
PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-25-2018
10:58 AM
Try something like this
search query | timechart span=1m count by A1
| eventstats max(*) as max*
| eval keep="N"
| foreach max* [| eval keep=if('<<FIELD>>'='<<MATCHSTR>>',"Y",keep) ]
| where keep="Y" | fields - max* keep
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maniu1609
Path Finder
05-29-2018
04:18 AM
it also works for me!!. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-25-2018
09:59 AM
@maniu1609, try the following search:
<yourBaseSearch>
| bin _time span=1m
| stats count by _time A1
| eventstats max(count) as Maximum by A1
| where count=Maximum
PS: It will list multiple time for A1 if maximum count for specific A1 remains the same in multiple time buckets.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maniu1609
Path Finder
05-29-2018
04:18 AM
It works great!!. Thanks!!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
