Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I return the value of a correlating field by giving the value of another field...

jason_hotchkiss
Communicator
‎07-02-2021 07:38 AM

I am working with a stats table with 7 fields.

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| stats
  sum(f) as f
  list(f) as f_list
  max(f) as f_max
  list(c) as c_list
  list(d) as d_list
  list(e) as e_list
  by b

I would like to be able to take:
  
   b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

Anyone able to provide the SPL for this type of search?

Labels (4)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-02-2021 07:48 AM

Please can you clarify. You said you are working with 7 fields, by which it appears you mean f, f_list, f_max, c_list, d_list, e_list and b. None of these is a_list or b_list and it isn't clear which is a's f_max.

0 Karma
Reply

jason_hotchkiss
Communicator
‎07-02-2021 08:19 AM

Oops,

I meant:

b's f_max and match it to the correlating value in b_list, c_list, d_list, e_list, f_list

basically, I am working with the count of events from index, sourcetype, source, host, and a custom field added to tsidx files.

b = sourcetype.  f_max is the largest value found in f_list.  I am trying to determine what values correlate to the c_list, d_list, e_list, and f_list.

Out of all our sources within a sourcetype, which one is the largest, what is its name, where it is coming from, and which group owns it (the customer field).

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-02-2021 08:29 AM

Will something like this work for you?

| tstats count as "f" where a=* b=*  c=* d=* e=*  by a b c d e
| eventstats max(f) as f_max  by b
| where f=f_max
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...