Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I display the largest value of multiple fields in an event?

sajbutler
Path Finder
‎02-26-2012 08:41 PM

I have a search which results in an event which has multiple instances of the field eltime.

alt text

Does anyone know how I can only display the largest value of the field eltime

Tags (1)
0 Karma
Reply

lpolo
Motivator
‎02-27-2012 05:47 AM

did you tried:

|stats max(eltime) as largest_value_of_eltime.

Reply

lpolo
Motivator
‎02-28-2012 05:11 AM

If eltime is the result of a transaction command your transaction command should group all the values of eltime in a multi-value list. Then, you should be able to get the maximum. like for example:

|transaction eltime delim="," mvlist=eltime|eval maximum_eltime=max(eltime)|table maximum_eltime

0 Karma
Reply

sajbutler
Path Finder
‎02-27-2012 12:45 PM

Doesn't quite work the way I want it to. I want to determine the maximum value of eltime for each event (there are multiple instances of eltime for each event - This is because each event is an output of the transaction command)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...