Solved: How to display the rows which has one single value...

sangs8788 · ‎05-19-2020

Hi,

I have a query which displays the resultset as below,

I would like to get the Module which has gone more than 2s in any of the month. In the above screenshot, I need DocumentExchange to be resulted since it exceeded one of the month more than 2 s.

How do I achieve this? I tried to do | foreach *2020 [convert num(<<FIELD>>) as <<FIELD>> | search <<FIELD>>>2] But this results Module which were more than 2s in all the three months. How do i rewrite the query so that it lists Module which exceeds 2s even in any one of the month?

Please advise.
Thanks

using Max brings the max of fieldname and not the value

493669 · ‎05-19-2020

@sangs8788, Try below for each command to get maximum value then compare it with 2.

...|  foreach *2020
   [ eval max = max('<<FIELD>>') ]|where max>2

View solution in original post

493669 · ‎05-19-2020

@sangs8788, Try below for each command to get maximum value then compare it with 2.

...|  foreach *2020
   [ eval max = max('<<FIELD>>') ]|where max>2

sangs8788 · ‎05-26-2020

@493669

It is not providing the max value instead for all the rows it takes max of fields name and not field value.

493669 · ‎05-26-2020

provide your sample data ,what is expected result and what it is returning using above query.

sangs8788 · ‎05-26-2020

I have updated my query with the screenshot. As you can see, Mar-2020 is taken as the max field

493669 · ‎05-26-2020

Try this-

...| foreach *2020 
    [ eval Max=case(Max>='<<FIELD>>',Max,true(),'<<FIELD>>') ]

sangs8788 · ‎05-26-2020

ok you are doing a compare of the max with each and every field. Got it. This should ideally work.

sangs8788 · ‎05-26-2020

This Works. Thanks a lot

sangs8788 · ‎05-19-2020

That works. Thanks

How to display the rows which has one single value more than 2

table

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!