The arg_max aggregation in APL helps you identify the row with the maximum value for an expression and return additional fields from that record. Use arg_max when you want to determine key details associated with a row where the expression evaluates to the maximum value. If you group your data, arg_max finds the row within each group where a particular expression evaluates to the maximum value. This aggregation is particularly useful in scenarios like the following:
  • Pinpoint the slowest HTTP requests in log data and retrieve associated details (like URL, status code, and user agent) for the same row.
  • Identify the longest span durations in OpenTelemetry traces with additional context (like span name, trace ID, and attributes) for the same row.
  • Highlight the highest severity security alerts in logs along with relevant metadata (such as alert type, source, and timestamp) for the same row.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL doesn’t have an equivalent to arg_max. You can use stats with a combination of max and by clauses to evaluate the maximum value of a single numberic field. APL provides a dedicated arg_max aggregation that evaluates expressions.
| stats max(req_duration_ms) as max_duration by id, uri
In ANSI SQL, you typically use a subquery to find the maximum value and then join it back to the original table to retrieve additional fields. APL’s arg_max provides a more concise and efficient alternative.
WITH MaxValues AS (
    SELECT id, MAX(req_duration_ms) as max_duration
    FROM sample_http_logs
    GROUP BY id
)
SELECT logs.id, logs.uri, MaxValues.max_duration
FROM sample_http_logs logs
JOIN MaxValues
ON logs.id = MaxValues.id;

Usage

Syntax

| summarize arg_max(expression, field1[, field2, ...])

Parameters

ParameterDescription
expressionThe expression whose maximum value determines the selected record.
field1, field2The additional fields to retrieve from the record with the maximum numeric value.

Returns

Returns a row where the expression evaluates to the maximum value for each group (or the entire dataset if no grouping is specified), containing the fields specified in the query.

Use case examples

Find the slowest path for each HTTP method in the ['sample-http-logs'] dataset.Query
['sample-http-logs']
| summarize arg_max(req_duration_ms, uri) by method
Run in PlaygroundOutput
urimethodreq_duration_ms
/homeGET1200
/api/productsPOST2500
This query identifies the slowest path for each HTTP method.
  • arg_min: Retrieves the record with the minimum value for a numeric field.
  • max: Retrieves the maximum value for a numeric field but does not return additional fields.
  • percentile: Provides the value at a specific percentile of a numeric field.