index="performance" sourcetype="physical_cpu" | addtotals fieldname=CPU_SUM CPU_* | rex mode=sed field=_raw "s/ //g" | eval cpu_cnt=len(_raw)/5 | eval value=CPU_SUM/cpu_cnt | stats avg(value) as avg_val ,max(value) as max_val ,min(value) as min_val by _time host | eventstats max(value) as max_val by host | sort -max_val | where host="host" OR host="host1" OR host="host2" OR host="host3" OR host="host4" | sort max_val desc | table host,max_val,avg_val,min_val im using upper query by get below table, but i'd like to get max_value of host at the time how can i get the to-be table? AS-IS host max_val av_val min_val host1 111 0.111 0.01111 host2 222 0.222 0.02222 host3 333 0.333 0.03333 host4 444 0.444 0.04444 TO-BE time host max_val 2021-08-11 10:00:000 host1 111 2021-08-11 12:00:000 host2 222 2021-08-11 13:00:000 host1 333 2021-08-11 14:00:000 host3 444
... View more