Selects the event with the maximum value in the specified field. Only the included fields will be present in the resulting event. If multiple events have the same maximum value, then it is non-deterministic which event will be selected.
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscaleselectFromMax("field",include=["value"])
and:
logscaleselectFromMax(field="field",include=["value"])
These examples show basic structure only; full examples are provided below.
selectFromMax()
Examples
Find the latest value of a field x (and when that value was from).
Try
logscale
selectFromMax(@timestamp, include=[x, @timestamp])
This selects the event with maximum value of @timestamp that also contains the specified field x, and returns an event with fields @timestamp and x only.