Solved: How to show table with highest values in a column

maniu1609 · ‎05-22-2018

Timechart output shows me table with two columns. column one is _time and column two is interger values.
example:
_time count
2018-05-22 10:07:16 4
2018-05-22 10:08:09 4
2018-05-22 10:07:45 4
2018-05-22 10:06:54 2
2018-05-22 10:07:11 1

Now I want display table with highest count column. Since 4 is the highest value in column "count", I want to display those rows having highest count 4 as below :

_time count
2018-05-22 10:07:16 4
2018-05-22 10:08:09 4
2018-05-22 10:07:45 4

How I can achieve this. Thanks in advance!!

somesoni2 · ‎05-22-2018

Try like this

your current search giving field _time and count 
| eventstats max(count) as max
| where count=max | fields - max

View solution in original post

somesoni2 · ‎05-22-2018

Try like this

your current search giving field _time and count 
| eventstats max(count) as max
| where count=max | fields - max

maniu1609 · ‎05-25-2018

Great!!. Thanks a lot!!

How to show table with highest values in a column

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to show table with highest values in a column

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem