Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ID of the max value event

kvaga
Explorer
‎01-11-2019 09:37 AM

Hello!
I have a table like this

ID, OperationName, Duration
1, oper_x, 114
2, oper_x, 117
3, oper_c, 76
4, oper_z, 87
5, oper_c, 76
6, oper_z, 128

I want to show ID and OperationName which have max Duration. For example:

ID, OperationName, Duration
2, oper_x, 117
3, oper_c, 76
6, oper_z, 128

Please help me. How can I do it? I tried ti use eventstat for max value searching grouped by OperationName. But can't show corresponding ID value

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎01-11-2019 10:51 AM

can you try something like this:

|eventstats max(Duration) as max_opp_duration by OperationName|where max_opp_duration=Duration

this will give you two rows for oper_c, since ID 3 and 5 have the same duration. you could add min(ID) as min_opp_id to the eventstats and then add AND min_opp_id=ID to the where statement

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-11-2019 12:35 PM

Like this:

| makeresults 
| eval raw="1 oper_x 114:::2 oper_x 117:::3 oper_c 76:::4 oper_z 87:::5 oper_c 76:::6 oper_z 128" 
| makemv delim=":::" raw 
| mvexpand raw 
| rename raw AS _raw 
| rex "^(?<ID>\S+)\s+(?<OperationName>\S+)\s+(?<Duration>\S+)" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| sort 0 - Duration 
| dedup OperationName
| sort 0 ID
Reply
Solved! Jump to solution

kvaga
Explorer
‎01-11-2019 11:42 PM

Thank you. It is another one good solution. Works correctly. My awards for you

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-12-2019 07:20 AM

You can only Accept one but you can UpVote all of them.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-11-2019 11:55 AM

Is this the answer?

  | stats max(Duration) by ID, OperationName
0 Karma
Reply
Solved! Jump to solution

kvaga
Explorer
‎01-11-2019 12:21 PM

Unfortunately, no. Since ID is unique then you will have huge amount of pairs ID, OperationName

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎01-11-2019 10:51 AM

can you try something like this:

|eventstats max(Duration) as max_opp_duration by OperationName|where max_opp_duration=Duration

this will give you two rows for oper_c, since ID 3 and 5 have the same duration. you could add min(ID) as min_opp_id to the eventstats and then add AND min_opp_id=ID to the where statement

Reply
Solved! Jump to solution

kvaga
Explorer
‎01-11-2019 12:11 PM

Thank you very much! It is exactly what I need!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...