Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Statics Table - How to get the max of column and use it to evaluate each row

stevenulbrich
Explorer
‎02-05-2021 02:04 PM

Splunk Statics Table - How to get the max of column and use it to evaluate each row

Hello, looking for advice and recommendations.
I have a splunk query 
index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount|table _time,host,clientCount

I am trying to get the max value of the clientCount  then use that value to compare to the each host.  The idea to make are report/alert of host not having all the clients in cache.

I suspect a subquery could be used but not sure  that will work on a report. 

Need Help - from banging my Head more

 

Steven

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-06-2021 01:45 AM

Hi @stevenulbrich,

You can try below;

index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount
| fields _time,host,clientCount
| eventstats max(clientCount) as max_clientCount
| eval status=if(clientCount<max_clientCount,"NotOK","OK")
| table _time host clientCount status
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

stevenulbrich
Explorer
‎02-06-2021 06:52 PM

I will give it a try tomorrow and update with my results. 

0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎02-06-2021 07:57 AM

Do you want max value of clientCount for each host?  In which case... 

| eventstats max(clientCount) by host

Or max value of clientCount regardless of host?  In which case ...

| eventstats max(clientCount)

 

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-06-2021 01:45 AM

Hi @stevenulbrich,

You can try below;

index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount
| fields _time,host,clientCount
| eventstats max(clientCount) as max_clientCount
| eval status=if(clientCount<max_clientCount,"NotOK","OK")
| table _time host clientCount status
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...