Maximum (max)
Description
This operation returns the highest value found in a data set.
How does it work in the search window?
You can use this operation in two different ways; as an Aggregation or Create field operation:
Aggregation: returns the highest value found in a specified field for each grouping occurrence.
Create field: creates a field that shows the highest of the values found in two or more numeric fields.
Aggregation
Before being able to perform this operation, you have to group your data. Be aware that the fields used as arguments for the grouping operation will not be available to select as arguments for the aggregation operation.
After grouping the data, select Aggregation in the search window toolbar, then select the Maximum operation. You need to specify one argument:
Argument | Data type | Description |
---|---|---|
Max of mandatory Last of (alphabetical ordered) mandatory | integer, float string | When the selected argument is a number, the argument will be automatically transformed into Max of and will retrieve the highest value found in the specified field for each grouping occurrence. When the selected argument is a string, the argument will be automatically transformed into Last of (alphabetically ordered) and will retrieve the last of the alphabetically ordered values found in the specified field for each grouping occurrence. Be aware that if a string field used as the argument contains null values, they will be considered when ordering alphabetically. Consequently, if the value retrieved is null, it does not mean the operation has failed, only that it is the last value found when ordering alphabetically. |
The data type of the aggregated values is integer, float or string.
Create field
Select Create field in the search window toolbar, then select the Maximum operation. You need to add at least two Any number arguments, but you can add as many as required.
Argument | Data type |
---|---|
Any number mandatory | integer, float |
Any number mandatory | integer, float |
The data type of the values in the new field is integer or float.
Example
Aggregation
In the siem.logtrust.web.activity
table, we want to get the last alphabetical value of the city field in each 5-minute period. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Maximum operation.
The arguments needed for the Maximum operation are:
Last of (alphabetically ordered) → city field
Click Aggregate function and you will see the following result:
Create field
In the siem.logtrust.web.activity
table, we want to get the highest of values found in the ContentLength and responseTime fields.
The arguments needed for the Maximum operation are:
Any Number - contentLength field
Any Number -responseTime field
Click Create field.
How does it work in LINQ?
Aggregation
Group your data using the following structure:
group every server period by field1, field2...
every client period
Then, use select
... as
... to add the new field that will show the aggregated values. This is the syntax for the Maximum operation:
max(numeric_field)
max(string_field)
See Build a query using LINQ to learn more about grouping and aggregating your data using the LINQ language.
Create field
Use select
... as
... to apply the Create field operation. This is the syntax for the Maximum operation:
max(numeric_field1, numeric_field2, numeric_field3...)
Examples
You can copy the following LINQ scripts and try the examples above on the demo.ecommerce.data
and siem.logtrust.web.activity
tables:
Aggregation
from siem.logtrust.web.activity
group every 5m
every 5m
select max(city) as city_max
Create field
from siem.logtrust.web.activity
select max(contentLength, responseTime) as maxtimelength