Instead of dealing with the messiness of a natural language, it might be better to use standard notation of duration, like

| fieldformat max(event.Properties.duration) = tostring('max(event.Properties.duration)', "duration")

Instead of 40 mins , 30 mins or 1 hrs, you get 00:40:00, 00:30:00, 01:00:00, and so on.

| chart max('event.Properties.duration') by event.Properties.endpoint

Something like this?

I tried the search, but not getting the max number 

Hi Thanks for the responce 

yes, i have gone through aggregate function, could you please help how to implement in the code 

Exp 1 -  chart eval(avg(size)/max(delay)) AS ratio BY host user 

 OR      timechart eval(round(avg(cpu_seconds),2)) BY processor

That'll depends on what you want to show for your risk score.  Do you want to show max?  Do you want to show avg?  Is there a groupby field you want to use?

Note the excerpted examples from the document are very specific to the problem the examples are trying to illustrate.  It is not a substitute for you to describe your desired output.  If you don't tell people, volunteers would have no way to read your mind.

In the simplest form, you can experiment with something like

| chart avg('event.Properties.riskScore')
  max('event.Properties.riskScore')
  min('event.Properties.riskScore')
  stdev('event.Properties.riskScore')

But you already did this.  So, what is your desired output?  Alternatively, what is the use case you are trying to apply?  What is the business problem you are trying to solve/illustrate using this dashboard?