I have search query in a form that displays the average and max value for the processing time. However, when I Drilldown on the Max value I see all the events with the search rather than just one value. Is there a way to only show the maximum value? below is a sample output and query
....| rex field=_index ".payload number.(?.)completed.in\s(?.\d+)ms(?.\w+)" | eval TimeSec=round(ProcessingTime/1000,0) | stats count(PayloadID) as Payloads avg(TimeSec) as "AvgSec" max(TimeSec) as "Max Sec" BY Account | where Payloads > 1000 | eval "AvgSec"=round(AvgSec, 1) | rename AvgSec as "Avg Sec" |sort "Avg Sec" desc
Account Payloads Avg Sec Max Sec
1 99260697 6485 812.1 2805
2 97038373 1632 383.2 662
3 29490911 23394 357.2 926
4 36156294 1046 341.2 528
... View more