Identifies the event with the maximum value in a specified field and returns selected fields from that event.

The resulting event contains only the fields specified in the include parameter.

If multiple events share the same maximum value, the selectFromMax() function returns one of those events randomly (non-deterministic way).

ParameterTypeRequiredDefault ValueDescription
field[a]stringrequired   The name of the field that is used to find the maximum value.
includearray of stringsrequired   The names of the fields to include in the generated event.

[a] The parameter name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Click + next to an example below to get the full details.

Find Most Recent (Latest) Value of Field X

Find the most recent (latest) value of field X using the selectFromMax() function

Query
logscale
selectFromMax(@timestamp, include=[x, @timestamp])
Introduction

In this example, the selectFromMax() function is used to find the most recent (latest) value of the field x and return the timestamp when that value was recorded.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    selectFromMax(@timestamp, include=[x, @timestamp])

    Sorts all events by timestamp, then selects the event in field x with the highest (most recent) timestamp, returning only the specified fields x and @timestamp.

    In this example, selectFromMax() filters for the "maximum value" of @timestamp, and finds the event with the newest/latest timestamp in the event set that also contains the specified field x. Timestamps are typically stored as numerical values (often in Unix epoch format), where larger numbers represent more recent times.

    The include parameter is used to specify which fields to include in the output.

  3. Event Result set.

Summary and Results

The query is used to find the most recent value of field x by selecting the event with the highest (most recent) timestamp value.

Using this query is an efficient way to find the latest value since it does not require sorting all results or using other aggregation functions - the query directly selects the most recent matching event.