Performant method for referring to original event field values *after* aggregation?

I am working with computer systems—for this question, the *type* of systems is not important—that forward events to Splunk (7.3). These events contain periodic snapshots of system performance indicators. For example, each system can perform up to some maximum number of tasks. Each event contains that number in a field named `maxtasks`. `maxtasks` can be different for each system, and the `maxtasks` for a system can change between events. Each event also contains a field named `peaktasks` that represents the peak number of tasks in that system in the period of time covered by that event. I want to visualize `peaktasks` as a percentage of `maxtasks` for each system, and then show the 10 systems with the highest percentage value; that is, the systems that reached, or came closest to reaching, `maxtasks`. The search command is fairly straightforward: | stats max(eval(peaktasks/maxtasks*100)) as "% of maxtasks" by system | sort - "% of maxtasks" | head 10 The problem: I also want to include, in the same chart, the original `peaktasks` and `maxtasks` values that correspond to those `max`-aggregrated percentages. Here's my current solution: | eval "% of maxtasks"= peaktasks/maxtasks * 100 | dedup system sortby -"% of maxtask" | table system, peaktasks, maxtasks, "% of maxtasks" | sort - "% of maxtasks" | head 10 I overlay `% of maxtasks` as a line over a column chart that shows `maxtasks` and `peaktasks` side-by-side for each system. This works. At least, I think it does; the resulting data looks right, but this is my first use of the `dedup` command with `sortby`. Here, I'm using `eval` in a separate step to insert a new percentage field into each event, then using `dedup` with `sortby` to keep only a single event—the one with the highest percentage—for each system. I have a working solution. So, what's my question? My main question (other than: is this doing what I think it's doing?): **is there a more performant way to do this?** Depending on the time range involved, the base search might return many thousands of events. `eval` and `dedup` might not be the most performant choices. Advice, recommendations welcome.