Maximum (max)
- Juan Tomás Alonso Nieto (Deactivated)
Description
This operation returns the highest value found in a data set.
How does it work in the search window?
You can use this operation in two different ways; as an Aggregation or Create column operation:
Aggregation: returns the highest value found in a specified column for each grouping occurrence.
Create column: creates a column that shows the highest of the values found in two or more numeric columns.
Aggregation
Before being able to perform this operation, you have to group your data. Be aware that the columns used as arguments for the grouping operation will not be available to select as arguments for the aggregation operation.
After grouping the data, select Aggregation in the search window toolbar, then select the Maximum operation. You need to specify one argument:
Argument | Data type | Description |
|---|---|---|
Max of mandatory Last of (alphabetical ordered) mandatory | integer, float string | When the selected argument is a number, the argument will be automatically transformed into Max of and will retrieve the highest value found in the specified column for each grouping occurrence. When the selected argument is a string, the argument will be automatically transformed into Last of (alphabetically ordered) and will retrieve the last of the alphabetically ordered values found in the specified column for each grouping occurrence. Be aware that if a string column used as the argument contains null values, they will be considered when ordering alphabetically. Consequently, if the value retrieved is null, it does not mean the operation has failed, only that it is the last value found when ordering alphabetically. |
The data type of the aggregated values is integer, float or string.
Create column
Select Create column in the search window toolbar, then select the Maximum operation. You need to add at least two Any number arguments, but you can add as many as required.
Argument | Data type |
|---|---|
Any number mandatory | integer, float |
Any number mandatory | integer, float |
The data type of the values in the new column is integer or float.
Example
Aggregation 1
In the demo.ecommerce.data table, we want to get the highest value of the bytesTransferred column in each 5-minute period. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Maximum operation.
The arguments needed for the Maximum operation are:
Max of → bytesTransferred column
Click Aggregate function and you will see the following result:
Aggregation 2
In the siem.logtrust.web.activity table, we want to get the last alphabetical value of the city column in each 5-minute period. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Maximum operation.
The arguments needed for the Maximum operation are:
Last of (alphabetically ordered) → city column
Click Aggregate function and you will see the following result:
Create column
In the demo.ecommerce.data table, we want to get the highest of the values found in either the bytesTransferred or timeTaken columns for each event. To do that, we will create a column using the Maximum operation.
The arguments needed for the Maximum operation are:
Any Number - bytesTransferred column
Any Number - timeTaken column
Click Create column and you will see the following result:
How does it work in LINQ?
Aggregation
Group your data using the following structure:
group every server period by column1, column2...every client period
Then, use select... as... to add the new column that will show the aggregated values. This is the syntax for the Maximum operation:
max(numeric_column)max(string_column)
See Build a query using LINQ to learn more about grouping and aggregating your data using the LINQ language.
Create column
Use select... as... to apply the Create column operation. This is the syntax for the Maximum operation:
max(numeric_column1, numeric_column2, numeric_column3...)
Examples
You can copy the following LINQ scripts and try the examples above on the demo.ecommerce.data and siem.logtrust.web.activity tables:
Aggregation 1
from demo.ecommerce.data
group every 5m
every 5m
select max(bytesTransferred) as bytesTransferred_maxAggregation 2
from siem.logtrust.web.activity
group every 5m
every 5m
select max(city) as city_maxCreate column
from demo.ecommerce.data
select max(bytesTransferred, timeTaken) as `bytes-time_max`