Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to produce a table visualization that spans time?

sjlaplac
Loves-to-Learn Lots
‎09-13-2019 02:38 PM

The following SPL returns data for all returns for a day.

How can I just return the maximum return for the day?

Example:
July 1 data returns 12 apples, 10 oranges, and 5 cherries

I would only like to see 12 apples since its the highest count for that particular day.

July 2 returns 10 grapes, 7 kiwis, and 3 dates, only returns 10 grapes for that day

index=RazorApp sourcetype = TotalFruitsSold| | table CurrentDate, FruitsSold

Any help would be greatly appreciated!

0 Karma
Reply

adonio
Ultra Champion
‎09-13-2019 06:55 PM

not sure how your data is structured exactly with FruitSold field, but lets assume its an integer, you will do something like this:
index=RazorApp sourcetype = TotalFruitsSold| | stats max(FruitsSold) as max_ammount by CurrentDate

show us a data sample and we can better assist
further reading:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Top
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Rare
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/StatisticalFunctions

0 Karma
Reply

maciep
Champion
‎09-14-2019 06:30 AM

and if you need to know which fruit and not just the amount, you may need eventstats instead - get the max, then use it to find the winner.

... | eventstats max(FruitSold) as day_max by CurrentDate | where FruitSold=day_max | table CurrentDate, FruitName, FruitSold

and probably need to decide what you want to do when there's a tie.

0 Karma
Reply

sjlaplac
Loves-to-Learn Lots
‎09-16-2019 05:18 AM

Awesome, this did the trick. Eventstats geez, of course. Thanks a million!

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...