Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How would I return the value of a correlating field by giving the value of another field...

jason_hotchkiss
Communicator
‎07-02-2021 07:38 AM

I am working with a stats table with 7 fields.

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| stats
  sum(f) as f
  list(f) as f_list
  max(f) as f_max
  list(c) as c_list
  list(d) as d_list
  list(e) as e_list
  by b

I would like to be able to take:
  
   b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

Anyone able to provide the SPL for this type of search?

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-02-2021 07:48 AM

Please can you clarify. You said you are working with 7 fields, by which it appears you mean f, f_list, f_max, c_list, d_list, e_list and b. None of these is a_list or b_list and it isn't clear which is a's f_max.

0 Karma
Reply

jason_hotchkiss
Communicator
‎07-02-2021 08:19 AM

Oops,

I meant:

b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

basically, I am working with the count of events from index, sourcetype, source, host, and a custom field added to tsidx files.

b = sourcetype.  f_max is the largest value found in f_list.  I am trying to determine what values correlate to the c_list, d_list, e_list, and f_list.

Out of all our sources within a sourcetype, which one is the largest, what is its name, where it is coming from, and which group owns it (the customer field).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-02-2021 08:29 AM

Will something like this work for you?

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| eventstats max(f) as f_max  by b
| where f=f_max
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...