I have data in json format as following:-
{Run=1 , Average=2.1, Max=3, Min=1.4, Transaction=Sample1}
{Run=1 , Average=2.1, Max=3, Min=1.4,Transaction=Sample2}
{Run=2 , Average=2.3, Max=3.1, Min=1.5,Transaction=Sample1}
{Run=2 , Average=2.3, Max=3.1, Min=1.5,Transaction=Sample2}
{Run=3 , Average=2.6, Max=3.2, Min=1.6,Transaction=Sample1}
{Run=3 , Average=2.6, Max=3.2, Min=1.6,Transaction=Sample2}
I want to compare all the fields with each other for the top 2 Run Values.
The below query is getting the data in the format I exactly need but i'm not able to pass Run Values via query dynamically:-
index=pt sourcetype=_json | search Run=3 |rename Average as "Average1" | rename Maximum as "Max1"| join Transaction type=inner[ search index=pt sourcetype=_json | search Run=2 |rename Average as "Average2" | rename Maximum as "Max2"| table Transaction, Average2] |table Transaction, Average1,Average2,Max1, Max2
Result:-
Transaction Average1 Average2 Max1 Max2
Sample1 2.6 2.3 3.2 3.1
Sample2 2.6 2.3 3.2 3.1
How to capture the second max value for a field like Run and get the desired results?
... View more