Finds the largest number for the specified field over a set of events.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale Syntaxmax("value")and:
logscale Syntaxmax(field="value")These examples show basic structure only.
max() Syntax Examples
Return what was the maximum responsetime:
max(responsetime)Filter for events in the repository with maximum responsetime values greater than 5 seconds:
max(responsetime)
| _max> 5max() Examples
Click next to an example below to get the full details.
Calculate Minimum and Maximum Response Times
Calculate minimum and maximum response times using multiple aggregate functions in square brackets
Query
[min_response := min(responsetime), max_response := max(responsetime)]Introduction
In this example, the min() and
max() functions are used to find the shortest and
longest response times, with results stored in named fields.
Square brackets allow multiple aggregations to be performed in a single operation
Writing a list of aggregators in square brackets is a shorthand syntax
for the stats() function.
Example incoming data might look like this:
| @timestamp | endpoint | responsetime | status_code |
|---|---|---|---|
| 1686837825000 | /api/users | 145 | 200 |
| 1686837826000 | /api/products | 892 | 200 |
| 1686837827000 | /api/orders | 167 | 200 |
| 1686837828000 | /api/payment | 1290 | 500 |
| 1686837829000 | /api/users | 156 | 200 |
| 1686837830000 | /api/items | 78 | 200 |
| 1686837831000 | /api/orders | 934 | 200 |
| 1686837832000 | /api/checkout | 923 | 200 |
| 1686837833000 | /api/products | 134 | 200 |
| 1686837834000 | /api/users | 445 | 200 |
Step-by-Step
Starting with the source repository events.
- logscale
[min_response := min(responsetime), max_response := max(responsetime)]In a single operation, calculates the minimum value from the responsetime field and returns the results in a field named min_response, and calculates the maximum value from the responsetime field and returns the results in a field named max_response.
Square brackets allow multiple aggregations to be performed in a single operation
Event Result set.
Summary and Results
The query is used to find the range of response times by calculating both the minimum and maximum values.
The results are returned in fields with names specified in the field assignments
This query is useful, for example, to monitor service performance, identify outliers in response times, or establish performance baselines.
Sample output from the incoming example data:
| min_response | max_response |
|---|---|
| 78 | 1290 |
Note that only one row is returned containing both calculated values.
Find Maximum Value in Field
Calculate the maximum value in a numeric field using the
max() function
Query
max(responsetime)Introduction
In this example, the max() function is used to find
the slowest response time from a set of web server logs. The response
time is the time from the receipt of a request to the complete
processing of the request.
Example incoming data might look like this:
| @timestamp | endpoint | responsetime | status |
|---|---|---|---|
| 2025-08-06T10:00:00Z | /api/users | 180 | 200 |
| 2025-08-06T10:00:01Z | /api/products | 2850 | 200 |
| 2025-08-06T10:00:02Z | /api/orders | 95 | 200 |
| 2025-08-06T10:00:03Z | /api/users | 450 | 200 |
| 2025-08-06T10:00:04Z | /api/products | 1275 | 200 |
Step-by-Step
Starting with the source repository events.
- logscale
max(responsetime)Calculates the maximum value found in the responsetime field across all events and returns the result in a new field named _max. If server response time is high, it may indicate that the server is overloaded and having difficulties processing requests.
If no events contain the specified field, or if the field contains non-numeric values, the function returns nothing.
Event Result set.
Summary and Results
The query is used to find the slowest response time in the event set, helping identify potential performance issues. Response time is an important parameter. If server response time is high, it may indicate that the server is overloaded and having difficulties processing requests.
This query is useful, for example, to identify performance bottlenecks, monitor service level agreement (SLA) breaches, or detect abnormal response times.
Sample output from the incoming example data:
| _max |
|---|
| 2850 |
The result shows a response time of 2850ms (2.85 seconds), which falls into the poor performance category and could indicate a significant performance issue requiring investigation.
Note that the result shows the single largest value found in the responsetime field across all events in the default output field _max.
The maximum response time can be effectively displayed in a single value
widget on a dashboard. For more comprehensive performance analysis,
consider combining this with other aggregation functions like
min() and avg() to show the
full range of response times. For an example, see
Calculate Minimum and Maximum Response Times.