Solved: stats\timechart after timechart

reverse · ‎09-30-2019

| timechart span=10m avg(Value) as AV by Host useother=false

after running this query - I get desired values for all HOSTS..
Now I want to get MAX of each column for the day ..

Stats wouldn't show anything ..

| stats max(AV) BY Host

renjith_nair · ‎09-30-2019

@reverse ,

Try

 "your search"|untable _time,Host,AV |stats max(AV) BY Host

---
What goes around comes around. If it helps, hit it with Karma 🙂

nareshinsvu · ‎09-30-2019

Agree with Renjith's comments. But if you need to capture the time of the max event as well, then try this.

"your search"
|untable _time Host AV 
|eventstats  max(AV) as max_AV by Host 
| where AV=max_AV 
| table _time Host AV

renjith_nair · ‎09-30-2019

@reverse ,

Try

 "your search"|untable _time,Host,AV |stats max(AV) BY Host

---
What goes around comes around. If it helps, hit it with Karma 🙂

reverse · ‎09-30-2019

Amazing .. cleared all the clutter too ..
thank you for such a clean solution

stats\timechart after timechart