Solved: How to get the field name of the maximum value of ...

brajaram · ‎06-14-2018

I have data that has several fields. I want to compare the fields to find the max value of them, which I can do via
| eval maximum=max(field1, field2, field3)

However, I also want to return the field name of the value that is the highest. Is there a simple function that does this?

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

View solution in original post

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

sunilsk1 · ‎10-05-2018

After sorting . pipe the result to "|head 1" to display just the one row you are interested in.

How to get the field name of the maximum value of several fields?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!