Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Statics Table - How to get the max of column and use it to evaluate each row

stevenulbrich
Explorer
‎02-05-2021 02:04 PM

Splunk Statics Table - How to get the max of column and use it to evaluate each row

Hello, looking for advice and recommendations.
I have a splunk query 
index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount|table _time,host,clientCount

I am trying to get the max value of the clientCount  then use that value to compare to the each host.  The idea to make are report/alert of host not having all the clients in cache.

I suspect a subquery could be used but not sure  that will work on a report. 

Need Help - from banging my Head more

 

Steven

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-06-2021 01:45 AM

Hi @stevenulbrich,

You can try below;

index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount
| fields _time,host,clientCount
| eventstats max(clientCount) as max_clientCount
| eval status=if(clientCount<max_clientCount,"NotOK","OK")
| table _time host clientCount status
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

stevenulbrich
Explorer
‎02-06-2021 06:52 PM

I will give it a try tomorrow and update with my results. 

0 Karma
Reply
Solved! Jump to solution

tread_splunk
Splunk Employee
Splunk Employee
‎02-06-2021 07:57 AM

Do you want max value of clientCount for each host?  In which case... 

| eventstats max(clientCount) by host

Or max value of clientCount regardless of host?  In which case ...

| eventstats max(clientCount)

 

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-06-2021 01:45 AM

Hi @stevenulbrich,

You can try below;

index=idx_source1 source=*app.log* clientEntitlementsCacheDataRetriever clientCount
| fields _time,host,clientCount
| eventstats max(clientCount) as max_clientCount
| eval status=if(clientCount<max_clientCount,"NotOK","OK")
| table _time host clientCount status
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...