arg_max() (aggregation function)

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

Finds a row in the group that maximizes ExprToMaximize.

Note

This function is used in conjunction with the summarize operator.

Deprecated aliases: argmax()

Syntax

arg_max (ExprToMaximize, * | ExprToReturn [, ...])

Learn more about syntax conventions.

Parameters

Name Type Required Description
ExprToMaximize string ✔️ The expression used for aggregation calculation.
ExprToReturn string ✔️ The expression used for returning the value when ExprToMaximize is maximum. Use a wildcard * to return all columns of the input table.

Returns

Returns a row in the group that maximizes ExprToMaximize, and the values of columns specified in ExprToReturn.

Examples

Find the maximum latitude of a storm event in each state.

StormEvents 
| summarize arg_max(BeginLat, BeginLocation) by State

The results table displays only the first 10 rows.

State BeginLat BeginLocation
MISSISSIPPI 34.97 BARTON
VERMONT 45 NORTH TROY
AMERICAN SAMOA -14.2 OFU
HAWAII 22.2113 PRINCEVILLE
MINNESOTA 49.35 ARNESEN
RHODE ISLAND 42 WOONSOCKET
INDIANA 41.73 FREMONT
WEST VIRGINIA 40.62 CHESTER
SOUTH CAROLINA 35.18 LANDRUM
TEXAS 36.4607 DARROUZETT
... ... ...

Find the last time an event with a direct death happened in each state showing all the columns.

StormEvents
| where DeathsDirect > 0
| summarize arg_max(StartTime, *) by State

The results table displays only the first 10 rows and first 3 columns.

State StartTime EndTime ...
GUAM 2007-01-27T11:15:00Z 2007-01-27T11:30:00Z ...
MASSACHUSETTS 2007-02-03T22:00:00Z 2007-02-04T10:00:00Z ...
AMERICAN SAMOA 2007-02-17T13:00:00Z 2007-02-18T11:00:00Z ...
IDAHO 2007-02-17T13:00:00Z 2007-02-17T15:00:00Z ...
DELAWARE 2007-02-25T13:00:00Z 2007-02-26T01:00:00Z ...
WYOMING 2007-03-10T17:00:00Z 2007-03-10T17:00:00Z ...
NEW MEXICO 2007-03-23T18:42:00Z 2007-03-23T19:06:00Z ...
INDIANA 2007-05-15T14:14:00Z 2007-05-15T14:14:00Z ...
MONTANA 2007-05-18T14:20:00Z 2007-05-18T14:20:00Z ...
LAKE MICHIGAN 2007-06-07T13:00:00Z 2007-06-07T13:00:00Z ...
... ... ... ...

The following example demonstrates null handling.

datatable(Fruit: string, Color: string, Version: int) [
    "Apple", "Red", 1,
    "Apple", "Green", int(null),
    "Banana", "Yellow", int(null),
    "Banana", "Green", int(null),
    "Pear", "Brown", 1,
    "Pear", "Green", 2,
]
| summarize arg_max(Version, *) by Fruit

Output

Fruit Version Color
Apple 1 Red
Banana Yellow
Pear 2 Green