The max() function can be used to find the largest value in a numeric field across all matching events. It returns a single value representing the maximum found in a field named _max.

In this example, the max() function is used to find the slowest response time from a set of web server logs. The response time is the time from the receipt of a request to the complete processing of the request.

Example incoming data might look like this:

The query is used to find the slowest response time in the event set, helping identify potential performance issues. Response time is an important parameter. If server response time is high, it may indicate that the server is overloaded and having difficulties processing requests.

This query is useful, for example, to identify performance bottlenecks, monitor service level agreement (SLA) breaches, or detect abnormal response times.

Sample output from the incoming example data:

The result shows a response time of 2850ms (2.85 seconds), which falls into the poor performance category and could indicate a significant performance issue requiring investigation.

Note that the result shows the single largest value found in the responsetime field across all events in the default output field _max.

The maximum response time can be effectively displayed in a single value widget on a dashboard. For more comprehensive performance analysis, consider combining this with other aggregation functions like min() and avg() to show the full range of response times. For an example, see Calculate Minimum and Maximum Response Times.