Splunk Search

How to find max value of multiple fields in one record?

paganom
New Member

I have a record that shows multiple temperature readings of a device in a single record. Each "temp" has it's own unique field name. They all have in common *TempVal. I can do a bunch of commands that displays each field. I want to know which one is the max value, but none of the names are common.

| stats max(*TempVal) gives a single line of each field.

Sample record:
1331154676 src_host="ACH_Dist" perfdata="SERVICEPERFDATA" name="Cisco Environment" severity="CRITICAL" attempt="3" statetype="HARD" executiontime="0.447" latency="9.234" reason="6 Fan OK, ps chassis-1 Power Supply 1, WS-CAC:notFunctioning , 48 temp OK : CRITICAL" result="Chassis1module9inlettemperaTempVal=25 Chassis1module9inlettemperaTempMax=70 Chassis1module1outlettemperTempVal=48 Chassis1module1outlettemperTempMax=90 Chassis1module2outlettemperTempVal=43 Chassis1module2outlettemperTempMax=90 Chassis1VTT3outlettemperatuTempVal=28 Chassis1VTT3outlettemperatuTempMax=115 Chassis2module4outlettemperTempVal=40 Chassis2module4outlettemperTempMax=85 Chassis1module4outlettemperTempVal=38 Chassis1module4outlettemperTempMax=85 Chassis1module2inlettemperaTempVal=24 Chassis1module2inlettemperaTempMax=65 Chassis2module5asic-4temperTempVal=56 Chassis2module5asic-4temperTempMax=110 Chassis2module7inlettemperaTempVal=29 Chassis2module7inlettemperaTempMax=70 Chassis1module5asic-4temperTempVal=52 Chassis1module5asic-4temperTempMax=110 Chassis2module7outlettemperTempVal=32 Chassis2module7outlettemperTempMax=85 Chassis2module6inlettemperaTempVal=25 Chassis2module6inlettemperaTempMax=70 Chassis1VTT1outlettemperatuTempVal=32 Chassis1VTT1outlettemperatuTempMax=115 Chassis1module5RPinlettempTempVal=32 Chassis1module5RPinlettempTempMax=65 Chassis1module4EARLinletteTempVal=26 Chassis1module4EARLinletteTempMax=75 Chassis1module9outlettemperTempVal=45 Chassis1module9outlettemperTempMax=100 Chassis2module9outlettemperTempVal=50 Chassis2module9outlettemperTempMax=100 Chassis1module5EARLoutlettTempVal=31 Chassis1module5EARLoutlettTempMax=75 Chassis2module4EARLinletteTempVal=30 Chassis2module4EARLinletteTempMax=75 Chassis2module2inlettemperaTempVal=26 Chassis2module2inlettemperaTempMax=65 Chassis2module5EARLinletteTempVal=27 Chassis2module5EARLinletteTempMax=65 Chassis1module4inlettemperaTempVal=28 Chassis1module4inlettemperaTempMax=65 Chassis1module5inlettemperaTempVal=24 Chassis1module5inlettemperaTempMax=80 Chassis2module7device-1tempTempVal=27 Chassis2module7device-1tempTempMax=70 Chassis2module1outlettemperTempVal=49 Chassis2module1outlettemperTempMax=90 Chassis1module5asic-3temperTempVal=39 Chassis1module5asic-3temperTempMax=110 Chassis2module1inlettemperaTempVal=26 Chassis2module1inlettemperaTempMax=65 Chassis2VTT2outlettemperatuTempVal=31 Chassis2VTT2outlettemperatuTempMax=115 Chassis2module5RPinlettempTempVal=32 Chassis2module5RPinlettempTempMax=65 Chassis2module5inlettemperaTempVal=24 Chassis2module5inlettemperaTempMax=80 Chassis2module4inlettemperaTempVal=30 Chassis2module4inlettemperaTempMax=65 Chassis2module6outlettemperTempVal=40 Chassis2module6outlettemperTempMax=100 Chassis2VTT3outlettemperatuTempVal=26 Chassis2VTT3outlettemperatuTempMax=115 Chassis2module9inlettemperaTempVal=24 Chassis2module9inlettemperaTempMax=70 Chassis2module5EARLoutlettTempVal=32 Chassis2module5EARLoutlettTempMax=75 Chassis1module5outlettemperTempVal=35 Chassis1module5outlettemperTempMax=85 Chassis2module5outlettemperTempVal=36 Chassis2module5outlettemperTempMax=85 Chassis1VTT2outlettemperatuTempVal=26 Chassis1VTT2outlettemperatuTempMax=115 Chassis1module5RPoutlettemTempVal=31 Chassis1module5RPoutlettemTempMax=65 Chassis2module7device-2tempTempVal=30 Chassis2module7device-2tempTempMax=75 Chassis2module4EARLoutlettTempVal=32 Chassis2module4EARLoutlettTempMax=80 Chassis1module1inlettemperaTempVal=24 Chassis1module1inlettemperaTempMax=65 Chassis2module2outlettemperTempVal=44 Chassis2module2outlettemperTempMax=90 Chassis1module4EARLoutlettTempVal=30 Chassis1module4EARLoutlettTempMax=80 Chassis2module5RPoutlettemTempVal=32 Chassis2module5RPoutlettemTempMax=65 Chassis1module5EARLinletteTempVal=24 Chassis1module5EARLinletteTempMax=65 Chassis2VTT1outlettemperatuTempVal=28 Chassis2VTT1outlettemperatuTempMax=115 Chassis2module5asic-3temperTempVal=40 Chassis2module5asic-3temperTempMax=110"

Tags (2)
0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee
 | rex  max_match=100 "Chassis\w+TempVal=(?<TempVal>\d+)" 
 | stats max(TempVal)

View solution in original post

Masa
Splunk Employee
Splunk Employee
 | rex  max_match=100 "Chassis\w+TempVal=(?<TempVal>\d+)" 
 | stats max(TempVal)

paganom
New Member

Thanks. Just what I was looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...