Re: Max values per unique field name

tnkoehn · ‎05-01-2013

I currently have a search that gives me the top counts by time and site. For example, I might get the following results:

Date                    Site     Count
2013-05-01 14:25:00     den01    5729
2013-05-01 14:27:00     den01    5727
2013-05-01 14:12:00     oma01    5698
2013-05-01 14:00:00     den01    5663
2013-05-01 14:04:00     oma01    3961
2013-05-01 14:03:00     atl01    3870
2013-05-01 15:02:00     den01    3666
2013-05-01 14:05:00     oma01    3588
2013-05-01 14:04:00     atl01    2559
2013-05-01 14:03:00     oma01    2554

However, I only want the top results per site. Like this:

Date                    Site     Count
2013-05-01 14:25:00     den01    5729
2013-05-01 14:12:00     oma01    5698
2013-05-01 14:03:00     atl01    3870

I'm not sure how to do this. Any help would be greatly appreciated. Thanks!

bmacias84 · ‎05-01-2013

dedup may work but that depend on sort.
...|fields Date, Site, Count | stats max(Count) as Count by Site | table Date, Site, Count

tnkoehn · ‎05-01-2013

Ah, geez. Answered it myself.

| dedup Site

I knew it was too easy.

Max values per unique field name

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation