Solved: How to show table with highest values in a column

maniu1609 · ‎05-22-2018

Timechart output shows me table with two columns. column one is _time and column two is interger values.
example:
_time count
2018-05-22 10:07:16 4
2018-05-22 10:08:09 4
2018-05-22 10:07:45 4
2018-05-22 10:06:54 2
2018-05-22 10:07:11 1

Now I want display table with highest count column. Since 4 is the highest value in column "count", I want to display those rows having highest count 4 as below :

_time count
2018-05-22 10:07:16 4
2018-05-22 10:08:09 4
2018-05-22 10:07:45 4

How I can achieve this. Thanks in advance!!

somesoni2 · ‎05-22-2018

Try like this

your current search giving field _time and count 
| eventstats max(count) as max
| where count=max | fields - max

View solution in original post

somesoni2 · ‎05-22-2018

Try like this

your current search giving field _time and count 
| eventstats max(count) as max
| where count=max | fields - max

maniu1609 · ‎05-25-2018

Great!!. Thanks a lot!!

How to show table with highest values in a column

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...