Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I display the largest value of multiple fields in an event?

sajbutler
Path Finder
‎02-26-2012 08:41 PM

I have a search which results in an event which has multiple instances of the field eltime.

alt text

Does anyone know how I can only display the largest value of the field eltime

Tags (1)
0 Karma
Reply

lpolo
Motivator
‎02-27-2012 05:47 AM

did you tried:

|stats max(eltime) as largest_value_of_eltime.

Reply

lpolo
Motivator
‎02-28-2012 05:11 AM

If eltime is the result of a transaction command your transaction command should group all the values of eltime in a multi-value list. Then, you should be able to get the maximum. like for example:

|transaction eltime delim="," mvlist=eltime|eval maximum_eltime=max(eltime)|table maximum_eltime

0 Karma
Reply

sajbutler
Path Finder
‎02-27-2012 12:45 PM

Doesn't quite work the way I want it to. I want to determine the maximum value of eltime for each event (there are multiple instances of eltime for each event - This is because each event is an output of the transaction command)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...