Solved: How to show the most common non-null value in ever...

seajay1221 · ‎05-20-2022

I have an index with ~200 fields and need to know the single most common non-null value for each field. How do I uncover that with Splunk?

In this example, I'd start here:

Fruits	Sizes	Integers
apple		1
banana	large	10
strawberry		3
apple		3
blueberry	large	2

And would aim to end up here:

Fruits	Sizes	Integers
apple	large	3

I don't have a test query to share since I'm not sure how to begin approaching this, and haven't seen anything on the forum here that is a close match. Would greatly appreciate any insights into how to get this done!

ITWhisperer · ‎05-20-2022

As @richgalloway use the mode function - if you don't want to list all 200 fields on the stats command, try this

| stats mode(*) as *

View solution in original post

ITWhisperer · ‎05-20-2022

As @richgalloway use the mode function - if you don't want to list all 200 fields on the stats command, try this

| stats mode(*) as *

richgalloway · ‎05-20-2022

Try the stats command with the mode function.

| stats mode(Fruits) as Fruits, mode(Sizes) as Sizes, mode(Integers) as Integers

---
If this reply helps you, an upvote would be appreciated.

How to show the most common non-null value in every field?

stats

table

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]