Current query :
index=salcus sourcetype= ticket_mgmt_rest source= http:ticket_mgmt_rest |rename "properties.o2-TroubleTicket-ReqId" as REQID | transaction REQID keepevicted=true | search eventcount=2 |table REQID duration |sort -duration
Now I want only top 1 record which has maximum duration , so how can I modify above query
1 Solution
