Building on @gcusello approach, it can be done more efficiently by not using mvexpand and just filtering out the ones that do not match the max value. index=abc host IN ()
| eval col=_time."|".response_time
| stats
max(response_time) AS max_response_time
values(col) AS col
BY URL
| eval times=mvmap(col, if(match(col, "\|".max_response_time."$"), mvindex(split(col, "|"), 0), null()))
| fields URL max_response_time times
| eval times=strftime(times, "%F %T.%Q")
| rename max_response_time as "Maximum Response Time"
| sort - "Maximum Response Time" Note that if you have LOTS of values and lots of URLs you may get a spike in memory usage retaining all the values. Note this also handles the situation where the max response time occurs in more than one time. You can also do this with eventstats index=abc host IN ()
| fields _time response_time URL
| eventstats max(response_time) AS max_response_time by URL
| where response_time=max_response_time
| stats values(max_response_time) AS "Maximum Response Time"
values(_time) as times
BY URL
| eval times=strftime(times, "%F %T.%Q")
| sort - "Maximum Response Time" Check which will perform better with your data - eventstats can be slow if crunching lots of data. You can see an example of how this works using either of the techniques above by replacing index=abc... with this, which will give you some simulated data | makeresults count=1000
| streamstats c
| eval _time=now() - c
| eval response_time=random() % 1000
| eval URL=mvindex(split("URL1,URL2,URL3,URL4",","), random() % 4)
| fields - c
... View more
