Solved: Re: SHOW number of highest devices seen

woodlandrelic · ‎03-24-2023

HI

So I have this dashboard showing the below.

HBSS ACAS CMRSACAS CMRSHBSS
89 92 84 77

MY question is how do I get the dashboard to show ONLY the highest count for the day. Since the dashboard are updated daily? Any help will be fantastic.

Thanks

Tom_Lundie · ‎03-24-2023

It would be helpful if you could share some of your upstream SPL (and maybe even some sample data). This might help us to generate efficient SPL for your use-case.

That being said, here is a way to convert the table you provided into the largest device count.

| transpose column_name=devices
| rename "row 1" as count
| eventstats max(count) as max_count
| where count=max_count

This has the ability to return multiple rows if they have the largest count in common. You could use | head 1 after to limit it to one result.

View solution in original post

Tom_Lundie · ‎03-24-2023

It would be helpful if you could share some of your upstream SPL (and maybe even some sample data). This might help us to generate efficient SPL for your use-case.

That being said, here is a way to convert the table you provided into the largest device count.

| transpose column_name=devices
| rename "row 1" as count
| eventstats max(count) as max_count
| where count=max_count

This has the ability to return multiple rows if they have the largest count in common. You could use | head 1 after to limit it to one result.

woodlandrelic · ‎03-27-2023

Hi @Tom_Lundie

So I figure it out and replace the individual search with
|search system_id=$system_id$

Thank you very much

How do I get the dashboard to show ONLY the highest count for the day?

stats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms