Max values per unique field name

tnkoehn · ‎05-01-2013

I currently have a search that gives me the top counts by time and site. For example, I might get the following results:

Date                    Site     Count
2013-05-01 14:25:00     den01    5729
2013-05-01 14:27:00     den01    5727
2013-05-01 14:12:00     oma01    5698
2013-05-01 14:00:00     den01    5663
2013-05-01 14:04:00     oma01    3961
2013-05-01 14:03:00     atl01    3870
2013-05-01 15:02:00     den01    3666
2013-05-01 14:05:00     oma01    3588
2013-05-01 14:04:00     atl01    2559
2013-05-01 14:03:00     oma01    2554

However, I only want the top results per site. Like this:

Date                    Site     Count
2013-05-01 14:25:00     den01    5729
2013-05-01 14:12:00     oma01    5698
2013-05-01 14:03:00     atl01    3870

I'm not sure how to do this. Any help would be greatly appreciated. Thanks!

bmacias84 · ‎05-01-2013

dedup may work but that depend on sort.
...|fields Date, Site, Count | stats max(Count) as Count by Site | table Date, Site, Count

tnkoehn · ‎05-01-2013

Ah, geez. Answered it myself.

| dedup Site

I knew it was too easy.

Max values per unique field name

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...