Splunk Search

How would I return the value of a correlating field by giving the value of another field...

jason_hotchkiss
Path Finder

I am working with a stats table with 7 fields.

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| stats
  sum(f) as f
  list(f) as f_list
  max(f) as f_max
  list(c) as c_list
  list(d) as d_list
  list(e) as e_list
  by b

I would like to be able to take:
  
   b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

Anyone able to provide the SPL for this type of search?

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you clarify. You said you are working with 7 fields, by which it appears you mean f, f_list, f_max, c_list, d_list, e_list and b. None of these is a_list or b_list and it isn't clear which is a's f_max.

0 Karma

jason_hotchkiss
Path Finder

Oops,

I meant:

b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

basically, I am working with the count of events from index, sourcetype, source, host, and a custom field added to tsidx files.

b = sourcetype.  f_max is the largest value found in f_list.  I am trying to determine what values correlate to the c_list, d_list, e_list, and f_list.

Out of all our sources within a sourcetype, which one is the largest, what is its name, where it is coming from, and which group owns it (the customer field).

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Will something like this work for you?

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| eventstats max(f) as f_max  by b
| where f=f_max
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!