Solved: Re: How to get the field name of the maximum value...

brajaram · ‎06-14-2018

I have data that has several fields. I want to compare the fields to find the max value of them, which I can do via
| eval maximum=max(field1, field2, field3)

However, I also want to return the field name of the value that is the highest. Is there a simple function that does this?

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

View solution in original post

masonmorales · ‎06-14-2018

It would be helpful to have some context on what your end goal is, but what you're describing is possible by just doing something like this:

index=_internal source=*metrics* | fieldsummary | sort - max | head 1 | fields field max

or

index=_internal source=*metrics* | fieldsummary | stats max(max) as max by field | sort - max

sunilsk1 · ‎10-05-2018

After sorting . pipe the result to "|head 1" to display just the one row you are interested in.

How to get the field name of the maximum value of several fields?

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms