I have a data like this , and i want to display the step with maximum value.
Detail: { [-]
Id: 12345678
RequestCompleteTS: 2023-04-27T15:59:30.6960113-04:00
Steps: { [-]
0-step1: 32
0-step2: 15
3-step3: 33
4-step4: 49
5-step5: 15
6-step6: 9
7-step7: 8
}
StepsCnt: 18
TargetRegion: BRD
}
LogType: Info
Message: Success
Time: 2023-04-27 15:59:30.696--04:00
Desired Output
Id | Step that is taking maximum time |
12345678 | 4-step4 |
Thank you very much. Exactly what i needed.
Hi @sivaranjani
Here's a run anywhere example showing a method...
| makeresults | eval _raw="{
\"Detail\": {
\"Id\": 12345678,
\"RequestCompleteTS\": \"2023-04-27T15:59:30.6960113-04:00\",
\"Steps\": {
\"0-step1\": 32,
\"0-step2\": 15,
\"3-step3\": 33,
\"4-step4\": 49,
\"5-step5\": 15,
\"6-step6\": 9,
\"7-step7\": 8
},
\"StepsCnt\": 18,
\"TargetRegion\": \"BRD\"
},
\"LogType\": \"Info\",
\"Message\": \"Success\",
\"Time\": \"2023-04-27 15:59:30.696--04:00\"
}"
``` ^^^ create dummy event ^^^ ```
| spath
| rename Detail.Id AS Id Detail.Steps.* AS *
| foreach *step* [ eval Steps=if(isnull(Steps), '<<FIELD>>', mvappend(Steps, '<<FIELD>>')) ]
| eval steps_list_ordered=mvmap( mvsort(mvmap(mvdedup(Steps), len(Steps) . "-" . Steps)), substr(Steps, 3) )
,maxtime=mvindex(steps_list_ordered, mvcount(steps_list_ordered)-1)
| foreach *-step* [ eval "maxstep"=if('<<FIELD>>'=maxtime, "<<FIELD>>", if(isnotnull('maxstep'), 'maxstep', null())) ]
| rename maxstep AS "Step that is taking maximum time"
| table Id "Step that is taking maximum time" maxtime
Hope that helps.
Also, in the future please copy and paste the raw event data (syntax highlighting off) into the question using the Insert/Edit code sample button as this makes it far easier to try and help