Skip to main content

min, max Grouping Operators

Use the min and max functions to find the smallest or largest value in a set of values.

max​

Extracts the maximum value of the numerical field being evaluated within the time range.

Syntax​

max(<numerical_field>) [as <field>] [by <field>]

Rules​

  • Creates field named _max

Example​

... | max(request_received) group by hour
... | max(request_received) as max_request_received, max(request_sent) as max_request_sent

When you calculate the maximum value of more than one field, you must create an alias using the as operator to rename the max fields.

See this example:

_sourceCategory="OS/Windows"
| kv "HandleCount", "ThreadCount"
| max(HandleCount) as maxHandleCount, max(ThreadCount) as maxThreadCount

min​

Extracts the minimum value of the numerical field being evaluated within the time range.

Syntax​

min(numerical_field) [as <field>] [by <field>]

Rules​

  • Creates field named _min

Example​

... | min(request_received) group by hour
​... | min(request_received) as min_request_received, max(request_sent) as max_request_sent

When you calculate the minimum value of more than one field, you must create an alias using the as operator to rename the min fields.

See this example:

_sourceCategory="OS/Windows"
| kv "HandleCount", "ThreadCount"
| min(HandleCount) as minHandleCount, min(ThreadCount) as minThreadCount
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.