@ITWhispererThanks for answer. what is the different?

The difference is mine will work, yours won't! 😀

"status" isn't a valid SPL command

Adding the field name to the rex expression identifies what the field is to be called.

@ITWhisperer actually i have performance issue, original post modified, I had typo.

Rather than extracting the Q field at search time, you could consider extracting it at index time (transform/props .conf). That would at least remove the rex processing when trying to determine the max.

You could also try creating a summary index with the max values every minute for example, then look for the max in the summary index events rather than the raw events.

@ITWhisperer actually this is summary index 🙂 and still huge!
I try to use transform too but increase index time drastically !

Any other idea?

Try a summary of the summary in larger timeslices.