When I use | stats max(foo)
I get the largest value of foo.
Is it possible to get the whole line of the log which contain this largest value?
Try like this
... | eventstats max(foo) as maxfoo | where foo=maxfoo | table _raw foo
Try like this
... | eventstats max(foo) as maxfoo | where foo=maxfoo | table _raw foo