Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Max values per unique field name

tnkoehn
Path Finder
‎05-01-2013 02:48 PM

I currently have a search that gives me the top counts by time and site. For example, I might get the following results:

Date                    Site     Count
2013-05-01 14:25:00     den01    5729
2013-05-01 14:27:00     den01    5727
2013-05-01 14:12:00     oma01    5698
2013-05-01 14:00:00     den01    5663
2013-05-01 14:04:00     oma01    3961
2013-05-01 14:03:00     atl01    3870
2013-05-01 15:02:00     den01    3666
2013-05-01 14:05:00     oma01    3588
2013-05-01 14:04:00     atl01    2559
2013-05-01 14:03:00     oma01    2554

However, I only want the top results per site. Like this:

Date                    Site     Count
2013-05-01 14:25:00     den01    5729
2013-05-01 14:12:00     oma01    5698
2013-05-01 14:03:00     atl01    3870

I'm not sure how to do this. Any help would be greatly appreciated. Thanks!

Tags (2)
0 Karma
Reply

bmacias84
Champion
‎05-01-2013 03:07 PM

dedup may work but that depend on sort.
...|fields Date, Site, Count | stats max(Count) as Count by Site | table Date, Site, Count

0 Karma
Reply

tnkoehn
Path Finder
‎05-01-2013 03:00 PM

Ah, geez. Answered it myself.

| dedup Site

I knew it was too easy.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...