Solved: query for top value

DTERM · ‎08-20-2012

Let's say you have a log that looks like....

X -- Y -- Z

=== === ===

AAA BBB 123

AAA BBB 356

YYY ZZZ 800

AAA BBB 900

YYY ZZZ 345

What query would allow me to extract the highest number Z where X and Y are equal.

So for the example above, I would expect to see results like:

AAA BBB 900

YYY ZZZ 800

Thanks.

kristian_kolb · ‎08-20-2012

Well, depending on the nature of X and Y, there are a couple of options, one of them being a simple string concatenation for the comparison:

... | eval Q = X." ".Y | stats max(Z) AS Z by Q | rename Q AS "X and Y"

which would give you a table like;

X and Y          Z
AAA BBB          900
CCC DDD          800

Hope this helps,

Krisitan

View solution in original post

kristian_kolb · ‎08-20-2012

Well, depending on the nature of X and Y, there are a couple of options, one of them being a simple string concatenation for the comparison:

... | eval Q = X." ".Y | stats max(Z) AS Z by Q | rename Q AS "X and Y"

which would give you a table like;

X and Y          Z
AAA BBB          900
CCC DDD          800

Hope this helps,

Krisitan

DTERM · ‎08-22-2012

Thanks much!!

kristian_kolb · ‎08-21-2012

The dot (.) is the concatenation operator; so the eval statement creates the 'AAA BBB' and 'CCC DDD' strings, which appear under the 'X and Y' heading.

Of course, this could have been illustrated better with proper log events.

The reason for doing so is that you'll need to find the highest value for the combination of A and Y.

/k

DTERM · ‎08-21-2012

Perfect. Thanks so much!! But can you explain the "eval Q = X." ".Y" portion of that. I don't quite get that...

Ayn · ‎08-20-2012

Explain how X and Y are equal in the lines you're expecting to see? Also, do you mean that the actual log event looks like this in a kind of tabular format?

query for top value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!