Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Statics Table - How to get the max of column and use it to evaluate each row

stevenulbrich
Explorer
‎02-05-2021 02:04 PM

Splunk Statics Table - How to get the max of column and use it to evaluate each row

Hello, looking for advice and recommendations.
I have a splunk query 
index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount|table _time,host,clientCount

I am trying to get the max value of the clientCount  then use that value to compare to the each host.  The idea to make are report/alert of host not having all the clients in cache.

I suspect a subquery could be used but not sure  that will work on a report. 

Need Help - from banging my Head more

 

Steven

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-06-2021 01:45 AM

Hi @stevenulbrich,

You can try below;

index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount
| fields _time,host,clientCount
| eventstats max(clientCount) as max_clientCount
| eval status=if(clientCount<max_clientCount,"NotOK","OK")
| table _time host clientCount status
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

stevenulbrich
Explorer
‎02-06-2021 06:52 PM

I will give it a try tomorrow and update with my results. 

0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎02-06-2021 07:57 AM

Do you want max value of clientCount for each host?  In which case... 

| eventstats max(clientCount) by host

Or max value of clientCount regardless of host?  In which case ...

| eventstats max(clientCount)

 

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-06-2021 01:45 AM

Hi @stevenulbrich,

You can try below;

index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount
| fields _time,host,clientCount
| eventstats max(clientCount) as max_clientCount
| eval status=if(clientCount<max_clientCount,"NotOK","OK")
| table _time host clientCount status
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...