In this case, I would set up a new field with eventstats (it leaves the original set alone), and then search for where they're equal:
YOUR_SEARCH_HERE | stats count by MB | eventstats max(count) AS max | where count=max
In this case, I would set up a new field with eventstats (it leaves the original set alone), and then search for where they're equal:
YOUR_SEARCH_HERE | stats count by MB | eventstats max(count) AS max | where count=max
Thank you. I was of help, I had to add the same for the MB column, because when he heard the count for several MB, leaving several.
...| stats count by MB | eventstats max(count) AS maxCount | where count=maxCount | eventstats max(MB) AS maxMB| where MB=maxMB | fields MB