I have a boat load of log files, whose name contains the timestamp, like this :
/DATA/show_cpu.2016101908.gz
/DATA/show_cpu.2016102108.gz
I only want to check the event in the latest file, so I tried following command:
index="-cli" source="show_cpu" | stats latest(source) by deviceId,fiveMinutes,timeStamp*
Unfortunately, the search results contains the events from other source file.
Please help out.
Try this, assuming the all events from the source have the same
base search | eventstats max(_indextime) as it | where it=_time
Hi...I tried the answer which you provided...It didn't work..is there any other way...
check this one -
index="-cli" | stats latest(source) by host,deviceId,fiveMinutes,timeStamp*
if above wont work, then check these two-
<pre>index="-cli" | stats latest(source) by host</pre>
and
index="-cli" [search index="-cli" | stats latest(source) by host| table source] | table deviceId,fiveMinutes,timeStamp*
Hi @inventsekar ..I tried the solution which u provided...It didnot work is there any other solution