Hi @yuanliu ,

I used all your solutions to have this:

| eventstats max(alert_level) as max_val BY title1
            | stats 
               values(eval(if(alert_level=max_val,title4,""))) AS title4
               max(alert_level) AS alert_level 
               BY title1

Thank you for you all support.

Ciao.

Giuseppe

Ahhhh... You had yet another field _called_ value. I suppose we all missed that and assumed "value" meant the value of one of the title* fields, not a separate field. *facepalm*

In this case, you can still avoid using eventstats

| sort - alert_level title1
| streamstats current=t dc(alert_level) as selector by title1
| where selector=1
| stats values(title4) as title4s by title1

Don't get me wrong - eventstats is a powerful and useful command but with some bigger datasets you might consider alternatives.

Ahh... ok. If it is suppossed to mean all results for the max value of field1, it's also a relatively easy to use sort and streamstats.

Your typical

| sort - field1

will give you your data sorted in descending order. That means that you have your max values first. This in turn means that you don't have to eventstats over whole resukt set. Just use streamstats to copy over the first value which must be the maximum value.

| streamstats current=t first(field1) as field1max

Now all that's left is to filter

| where field1=field1max

Since we're operating on our initial result we've retained all original fields.

Of course for for additional performance boost you can remove unnecessary fields prior to sorting so you don't needlessly drag them around just to get rid of them immediately after if you have a big data set to sort.(Same goes for limiting your processed data volume in with eventstats-based solution)

Hi @all,

Thank you for all your hints, but my issue is that I must find the title4, for each title1 where value is max, with this solution I find the max value for each title1, not the title4 where value is max and relative value for each title1.

Have you any other hint?

Ciao.

Giuseppe

I too don't quite get your statement "where value is max"  - you said you have 

title1 title2 title3 title4 value

so I assumed titles are text elements and the value is numeric. Does the table below model your data or is it different?

title1 title4 value  

What does max in your description represent?  I understood you want all the values of title4 "where value is max". Can you define what max is.

For title4-X, Y and Z the max of values by title 4 are 92, 97 and 71.

For title1-A, B and C the max of values by title1 are 90, 97 and 92.

Do either of these describe your 'max'.

An example would be useful?

Ok. Honestly, I'm a bit confused. I don't understand what you mean by "where value is max".

As I understand it if you have

You want

as a result because for each value of title1 you want the max value of title4, no?

Maybe we just misunderstand each other...

Yup. +1 on eventstats. Stats will aggregate all data leaving you with just max value. Appendpipe will append stats at the end but you'll still have them as a separate entity. You could use subsearch but it would be ugly and ineffective (you'd have to run the main search twice effectively). Eventstats it is.

But since eventstats has limitations, you can cheat a little.

| sort - title1 title4
| dedup title1

It doesn't replace eventstats in a general case but for max or min value it might be a bit quicker than eventstats and will almost surely have lower memory footprint.

I agree.  I would try eventstats as well.