Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get the dashboard to show  ONLY the highest count for the day?

woodlandrelic
Path Finder
‎03-24-2023 03:11 PM

HI 

So I have this dashboard showing the below. 

HBSS      ACAS        CMRSACAS    CMRSHBSS
89              92               84                          77

MY question is how do I get the dashboard to show  ONLY the highest count for the day. Since the dashboard are updated daily? Any help will be fantastic.

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Tom_Lundie
Contributor
‎03-24-2023 05:50 PM

It would be helpful if you could share some of your upstream SPL (and maybe even some sample data). This might help us to generate efficient SPL for your use-case.

That being said, here is a way to convert the table you provided into the largest device count.

 

| transpose column_name=devices
| rename "row 1" as count
| eventstats max(count) as max_count
| where count=max_count

 

This has the ability to return multiple rows if they have the largest count in common. You could use | head 1 after to limit it to one result.

View solution in original post

Reply
Solved! Jump to solution
Solution

Tom_Lundie
Contributor
‎03-24-2023 05:50 PM

It would be helpful if you could share some of your upstream SPL (and maybe even some sample data). This might help us to generate efficient SPL for your use-case.

That being said, here is a way to convert the table you provided into the largest device count.

 

| transpose column_name=devices
| rename "row 1" as count
| eventstats max(count) as max_count
| where count=max_count

 

This has the ability to return multiple rows if they have the largest count in common. You could use | head 1 after to limit it to one result.

Reply
Solved! Jump to solution

woodlandrelic
Path Finder
‎03-27-2023 09:06 AM

Hi @Tom_Lundie 

So I figure it out and replace the individual search with
 |search system_id=$system_id$

| transpose column_name=devices
| rename "row 2" as count
| eventstats max(count) as max_count
| where count=max_count
| table max_count
| head 1

 

 

Thank you very much

Tags (1)
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...