Solved: Re: Select a row based on highest value of a field...

KarunK · ‎09-09-2014

Hi All,

I have a table like below (raw table), which shows count of request per 4 hours from two services over a period of two days. I need to find the count values of ServiceA and ServiceB on each day, when the combined request is at peak per day. That will be the values below.

Peak values:-

1/01/2014 4:00  56  89  145
2/01/2014 8:00  56  78  134

Raw Table:-

_time   ServiceA    ServiceB    Total
1/01/2014 0:00  45  56  101
1/01/2014 4:00  56  89  145
1/01/2014 8:00  78  54  132
1/01/2014 12:00 41  11  52
1/01/2014 16:00 23  23  46
1/01/2014 20:00 56  58  114
2/01/2014 0:00  38  56  94
2/01/2014 4:00  54  41  95
2/01/2014 8:00  56  78  134
2/01/2014 12:00 11  23  34
2/01/2014 16:00 23  45  68
2/01/2014 20:00 58  56  114
3/01/2014 0:00  80  49  129

Any ideas how to do it ???

Regards

KK

lguinn2 · ‎09-09-2014

Try this

yoursearchhere
| eval the_date=strftime(_time,"%x")
| eventstats max(total) as MaxTotal by the_date
| where Total=MaxTotal

HTH

View solution in original post

lguinn2 · ‎09-09-2014

Try this

yoursearchhere
| eval the_date=strftime(_time,"%x")
| eventstats max(total) as MaxTotal by the_date
| where Total=MaxTotal

HTH

KarunK · ‎09-10-2014

Thank You !!! Appreciate that.

akocak · ‎03-03-2020

thanks from year 2020 🙂

Select a row based on highest value of a field.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation