I am working with a stats table with 7 fields.| tstats count as "f" where a=* b=* c=* d=* e=* by a b c d e| stats sum(f) as f list(f) as f_list max(f) as f_max list(c) as c_list list(d) as d_list list(e) as e_list by bI would like to be able to take: b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_listAnyone able to provide the SPL for this type of search?
Please can you clarify. You said you are working with 7 fields, by which it appears you mean f, f_list, f_max, c_list, d_list, e_list and b. None of these is a_list or b_list and it isn't clear which is a's f_max.
Oops,I meant:b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_listbasically, I am working with the count of events from index, sourcetype, source, host, and a custom field added to tsidx files.b = sourcetype. f_max is the largest value found in f_list. I am trying to determine what values correlate to the c_list, d_list, e_list, and f_list.Out of all our sources within a sourcetype, which one is the largest, what is its name, where it is coming from, and which group owns it (the customer field).
Will something like this work for you?
| tstats count as "f" where a=* b=* c=* d=* e=* by a b c d e
| eventstats max(f) as f_max by b
| where f=f_max