Hello
In your example, LATEST is a text, so when you sort it, it´s beign sort lexicographically. You should need to convert that timestamp to epoch, sort it, and then convert it back to human readable format. Something like:
index=os sourcetype=lastlog host=test | multikv | dedup LATEST | eval LATEST = strptime(LATEST,"%b %d %H:%M:%S %Y") | table LATEST | sort LATEST | eval LATEST = strftime(LATEST,"%b %d %H:%M:%S %Y")
Didn´t test it, so maybe there is something missing, but the general idea should do it
Regards
... View more