Solved: Using subsearches to get highest value

markthompson · ‎02-11-2015

Hello,
I have a search that tables certain values from my data fields, although i wish to create a new field on all events called Maximum that gets the latest value of a field called max and another called min

mzorzi · ‎02-11-2015

You can use eventstats:

index=_internal | eventstats max(date_second) AS MAX min(date_second) as MIN | table date_second,MAX,MIN

View solution in original post

mzorzi · ‎02-11-2015

You can use eventstats:

index=_internal | eventstats max(date_second) AS MAX min(date_second) as MIN | table date_second,MAX,MIN

markthompson · ‎02-11-2015

Hi mzorzi,

Thanks for your response.

I used eventstats but I also wanted to get values from the search and table them as well.
Do you know how?

MuS · ‎02-11-2015

Could you provide the search and if possible some sample data?

Using subsearches to get highest value

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation