I have a search like this to fetch the maximum value. Now the case i wanted to add is, if the maximum value field is 4-step4 then i want my table to display second maximum value as the max step. Desired result  Id Step that is taking maximum time maxtime 12345678 3-step3 33   | makeresults | eval _raw="{ \"Detail\": { \"Id\": 12345678, \"RequestCompleteTS\": \"2023-04-27T15:59:30.6960113-04:00\", \"Steps\": { \"0-step1\": 32, \"0-step2\": 15, \"3-step3\": 33, \"4-step4\": 49, \"5-step5\": 15, \"6-step6\": 9, \"7-step7\": 8 }, \"StepsCnt\": 18, \"TargetRegion\": \"BRD\" }, \"LogType\": \"Info\", \"Message\": \"Success\", \"Time\": \"2023-04-27 15:59:30.696--04:00\"" ``` ^^^ create dummy event ^^^ ``` | spath | rename Detail.Id AS Id Detail.Steps.* AS * | foreach *step* [ eval Steps=if(isnull(Steps), '<<FIELD>>', mvappend(Steps, '<<FIELD>>')) ] | eval steps_list_ordered=mvmap( mvsort(mvmap(mvdedup(Steps), len(Steps) . "-" . Steps)), substr(Steps, 3) ) ,maxtime=mvindex(steps_list_ordered, mvcount(steps_list_ordered)-1) | foreach *-step* [ eval "maxstep"=if('<<FIELD>>'=maxtime, "<<FIELD>>", if(isnotnull('maxstep'), 'maxstep', null())) ] | rename maxstep AS "Step that is taking maximum time" | table Id "Step that is taking maximum time" maxtime ​   ... View more

I have a data like this , and i want to display the step with maximum value. Detail: { [-] Id: 12345678 RequestCompleteTS: 2023-04-27T15:59:30.6960113-04:00 Steps: { [-] 0-step1: 32 0-step2: 15 3-step3: 33 4-step4: 49 5-step5: 15 6-step6: 9 7-step7: 8 } StepsCnt: 18 TargetRegion: BRD } LogType: Info Message: Success Time: 2023-04-27 15:59:30.696--04:00 Desired Output Id Step that is taking maximum time 12345678 4-step4 ... View more