How to show only the maximum value and showing the...

Rithekakan · ‎08-03-2022

Hi every one, I want a report which showing only the maximum value (days_since) and show the condition base on the maximum value (Pending_since).
I would be appreciated for your help.

This is my search
indix=...............
...................
| eval days_since = floor((now() - _time) / 86400)
| eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")

yuanliu · ‎08-03-2022

The screenshot doesn't seem to match sample SPL. But at the simplest level, would this be useful?

indix=...............
...................
| eval days_since = floor((now() - _time) / 86400)
| stats max(days_since) as days_since by status
| eval Pending_since = case(days_since == 0, "Today", days_since < 30, "Pending (< 30 days)", days_since > 45, "Pending ( > 45 days)", days_since > 30, "Pending ( 30>Days<45 )", days_since < 45, "Pending ( 30>Days<45 )", days_since > 1, days_since . " Days")

How to show only the maximum value and showing the condition base on that maximum?

eval

stats

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?