This page explains how to use the arg_max aggregation in APL.
The arg_max aggregation in APL helps you identify the row with the maximum value for an expression and return additional fields from that record. Use arg_max when you want to determine key details associated with a row where the expression evaluates to the maximum value. If you group your data, arg_max finds the row within each group where a particular expression evaluates to the maximum value.
This aggregation is particularly useful in scenarios like the following:
- Pinpoint the slowest HTTP requests in log data and retrieve associated details (like URL, status code, and user agent) for the same row.
- Identify the longest span durations in OpenTelemetry traces with additional context (like span name, trace ID, and attributes) for the same row.
- Highlight the highest severity security alerts in logs along with relevant metadata (such as alert type, source, and timestamp) for the same row.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
Splunk SPL doesn’t have an equivalent to arg_max. You can use stats with a combination of max and by clauses to evaluate the maximum value of a single numberic field. APL provides a dedicated arg_max aggregation that evaluates expressions.
ANSI SQL users
ANSI SQL users
In ANSI SQL, you typically use a subquery to find the maximum value and then join it back to the original table to retrieve additional fields. APL’s arg_max provides a more concise and efficient alternative.
Usage
Syntax
Parameters
| Parameter | Description |
|---|---|
expression | The expression whose maximum value determines the selected record. |
field1, field2 | The additional fields to retrieve from the record with the maximum numeric value. |
Returns
Returns a row where the expression evaluates to the maximum value for each group (or the entire dataset if no grouping is specified), containing the fields specified in the query.
Use case examples
Find the slowest path for each HTTP method in the ['sample-http-logs'] dataset.
Query
Output
| uri | method | req_duration_ms |
|---|---|---|
| /home | GET | 1200 |
| /api/products | POST | 2500 |
This query identifies the slowest path for each HTTP method.
Find the slowest path for each HTTP method in the ['sample-http-logs'] dataset.
Query
Output
| uri | method | req_duration_ms |
|---|---|---|
| /home | GET | 1200 |
| /api/products | POST | 2500 |
This query identifies the slowest path for each HTTP method.
Identify the span with the longest duration for each service in the ['otel-demo-traces'] dataset.
Query
Output
| service.name | span_id | trace_id | duration |
|---|---|---|---|
| frontend | span123 | trace456 | 3s |
| checkoutservice | span789 | trace012 | 5s |
This query identifies the span with the longest duration for each service, returning the span_id, trace_id, and duration.
Find the highest status code for each country in the ['sample-http-logs'] dataset.
Query
Output
| geo.country | uri | status |
|---|---|---|
| USA | /admin | 500 |
| Canada | /dashboard | 503 |
This query identifies the URI with the highest status code for each country.
List of related aggregations
- arg_min: Retrieves the record with the minimum value for a numeric field.
- max: Retrieves the maximum value for a numeric field but does not return additional fields.
- percentile: Provides the value at a specific percentile of a numeric field.