Solved: How to get the field name of the maximum value of ...

brajaram · ‎06-14-2018

I have data that has several fields. I want to compare the fields to find the max value of them, which I can do via
| eval maximum=max(field1, field2, field3)

However, I also want to return the field name of the value that is the highest. Is there a simple function that does this?

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

View solution in original post

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

sunilsk1 · ‎10-05-2018

After sorting . pipe the result to "|head 1" to display just the one row you are interested in.

How to get the field name of the maximum value of several fields?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

How to get the field name of the maximum value of several fields?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability