Solved: Re: How to get the field name of the maximum value...

brajaram · ‎06-14-2018

I have data that has several fields. I want to compare the fields to find the max value of them, which I can do via
| eval maximum=max(field1, field2, field3)

However, I also want to return the field name of the value that is the highest. Is there a simple function that does this?

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

View solution in original post

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

sunilsk1 · ‎10-05-2018

After sorting . pipe the result to "|head 1" to display just the one row you are interested in.

How to get the field name of the maximum value of several fields?

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition

Are you a member of the Splunk Community?

How to get the field name of the maximum value of several fields?

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

Elevate Your Organization with Splunk’s Next Platform Evolution

Splunk Answers Content Calendar, June Edition