I have a data table showing individual devices and two metrics for each device. Average value and Max Value. I wish to output the date/time of the max value occurrence as well. I have tried adding a max bucket metric but I can't seem to get that to work. Is that the right approach or is there another method for accomplishing this.
Is there a way to use the JSON option to return the datetime along with the max value result? Or is this not even possible. It seems trivial to show the date when it's already done all the work of identifying the max value.
For reference, I'm looking to show the date/time for the max occurrence as pictured below.
Is there a way of matching a shard based on the max of one field but display another?
I sort of suspect this should be something related to a sibling pipeline. If I create a Max Bucket metric with a Date Histogram and field @timestamp and a submetric of the max of my intended field, I seem to return the max value again.
It seems that what I'm looking for is the ability to switch that and use the Max value of my field at the bucket level and the date histogram at the submetric level. However it doesn't seem as though the options exist to do that.
You should be able to do this using the "Top hit" metric on the datetime field with a size of 1, ordering descending by HrVal(this will basically select the document with the maximum HrVal)
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.