Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get stats max count of a field by another field?

bijodev1
Communicator
‎03-02-2022 04:55 AM

Hi There, I am looking to produce an output where the field with maximum count is display based on another field.

for, eg I am looking something command like 

| stats max(count(errors) by status

time                                       status             errors                    count

2022-03-02 05:30 100 not found 100
2022-03-02 05:30 200 success 300
2022-03-02 05:30 300 failed 500
2022-03-02 06:30 100 not found 400
2022-03-02 06:30 200 success 500
2022-03-02 06:30 300 failed 600
2022-03-02 07:30 100 not found 200
2022-03-02 07:30 200 success 700
2022-03-02 07:30 300 failed 200

 

What I am looking for is the max count each status and error

time                                       status           errors                    count

2022-03-02 05:30 100 not found 400
2022-03-02 06:30 200 success 700
2022-03-02 07:30 300 failed 600

 

I tried many thing but with no luck, if someone could help with this.

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bijodev1
Communicator
‎03-02-2022 08:28 AM

thank you everyone.

Took me sometime , But this one worked for me

my search 
| stats count by _time status errors
| sort -count
| dedup _time status
| sort _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bijodev1
Communicator
‎03-02-2022 08:28 AM

thank you everyone.

Took me sometime , But this one worked for me

my search 
| stats count by _time status errors
| sort -count
| dedup _time status
| sort _time

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2022 05:04 AM

It looks like there is a one-to-one relationship between status and errors, so would this work?

| stats max(count) as count values(errors) as errors max(time) as time by status
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-02-2022 05:00 AM

Try something like this

Your base search which gives fields _time status errors count
| eventstats max(count) as max by status errors
| where count=max | fields -max
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...