Splunk Search

How to get the Max Value and Sum for each column and put in a table?

srobinsonxtl
Path Finder

All,

I have been trying to figure this out, but running out of Ideas. I have the following data note the column names are random:

abc,def,ghi,jkl,mno 
0.992914032,0.213073702,0.935738281,0.940319131,0.181638896 
0.687276125,0.43039188,0.628441474,0.572250223,0.075034346  
0.038652134,0.553207754,0.405580043,0.61,0962327,0.11309537 
0.625120419,0.93665033,0.735556537,0.106862919,0.307562806  
0.517483329,0.977309163,0.780669733,0.941357026,0.715071147 
0.299775797,0.066687935,0.506144686,0.422054339,0.030493397 
0.616155594,0.639585224,0.021914164,0.893909265,0.885999592 
0.830145224,0.14859778,0.47885759,0.980377541,0.789053001   
0.154432947,0.25110087,0.928589057,0.946643805,0.318930878  

I would like to get the Max Value and Sum for each column and put in a table like such.

Column,Total,Max            
abc,4.761955602,0.992914032         
def,4.216604639,0.977309163         
ghi,5.421491564,0.935738281         
jkl,6.414736576,0.980377541         
mno,3.416879433,0.885999592

I would appreciate any help anyone could provide me.

Thanks,

Stephen Robinson

Tags (2)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

YOur current search giving your dynamic fields e.g. abc,def,ghi,jkl,mno
| eval temp=1
| table temp *
| untable temp Column Value
| stats sum(Value) as Total max(Value) as Max by Column

The core of this solution is untable command. Read more about it here: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Untable

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this

YOur current search giving your dynamic fields e.g. abc,def,ghi,jkl,mno
| eval temp=1
| table temp *
| untable temp Column Value
| stats sum(Value) as Total max(Value) as Max by Column

The core of this solution is untable command. Read more about it here: http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Untable

srobinsonxtl
Path Finder

This worked perfectly.

Thanks a million.

Thanks,

Stephen Robinson

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...