Splunk Search

How would I return the value of a correlating field by giving the value of another field...

jason_hotchkiss
Communicator

I am working with a stats table with 7 fields.

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| stats
  sum(f) as f
  list(f) as f_list
  max(f) as f_max
  list(c) as c_list
  list(d) as d_list
  list(e) as e_list
  by b

I would like to be able to take:
  
   b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

Anyone able to provide the SPL for this type of search?

Labels (4)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please can you clarify. You said you are working with 7 fields, by which it appears you mean f, f_list, f_max, c_list, d_list, e_list and b. None of these is a_list or b_list and it isn't clear which is a's f_max.

0 Karma

jason_hotchkiss
Communicator

Oops,

I meant:

b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

basically, I am working with the count of events from index, sourcetype, source, host, and a custom field added to tsidx files.

b = sourcetype.  f_max is the largest value found in f_list.  I am trying to determine what values correlate to the c_list, d_list, e_list, and f_list.

Out of all our sources within a sourcetype, which one is the largest, what is its name, where it is coming from, and which group owns it (the customer field).

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Will something like this work for you?

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| eventstats max(f) as f_max  by b
| where f=f_max
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...