Re: How to show only the maximum value and showing...

Rithekakan · ‎08-03-2022

Hi every one, I want a report which showing only the maximum value (days_since) and show the condition base on the maximum value (Pending_since).
I would be appreciated for your help.

This is my search
indix=...............
...................
| eval days_since = floor((now() - _time) / 86400)
| eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")

yuanliu · ‎08-03-2022

The screenshot doesn't seem to match sample SPL. But at the simplest level, would this be useful?

indix=...............
...................
| eval days_since = floor((now() - _time) / 86400)
| stats max(days_since) as days_since by status
| eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")

How to show only the maximum value and showing the condition base on that maximum?

eval

stats

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation