So the concept is ridiculously simple, however I am having a monumental brain fart.
I want to generate a table with 3 columns : method, maxduration, guid
I only want to have as many rows as there are unique methods, and return the guid of that event with the max duration returned.
example of what I want
get,23000,GUID4295690
put,2243,GUID211233
post,24321,GUID8986
However the number of unique methods can change based on my base search.
Hey
You can use dedup to dedup your http methods.
But i suspect that this is not the solely thing you want.
You want the max duration per http method. So I would go for
your search | stats max(duration) as max duration, values(GID) AS GUID by http_method
That would give you a table of of the guids .
If you just want the guid that has max duration, do yoursearch | eventstats max(duration) as max_duration by http_method | where duration=max_duration | table max_duration, THIS, http_method
Ugh, I was making it more complicated than it needed to be in my head.
| eventstats max(DurationMS) as maxduration by method
| where DurationMS=maxduration
|table maxduration method guid
Please if the answer I gave you solved your issue, accept and upvote that answer
Hey
You can use dedup to dedup your http methods.
But i suspect that this is not the solely thing you want.
You want the max duration per http method. So I would go for
your search | stats max(duration) as max duration, values(GID) AS GUID by http_method
That would give you a table of of the guids .
If you just want the guid that has max duration, do yoursearch | eventstats max(duration) as max_duration by http_method | where duration=max_duration | table max_duration, THIS, http_method
ha, i shoulda refreshed before I added my answer, thanks!