Hi,
I have a CSV file that looks like this
Date,Version
01-24-2017 12:09:26,7_3_10_000500_3851898
01-25-2017 12:09:26,7_3_10_000500_3851898
01-26-2017 12:09:26,7_3_10_000500_3851898
01-27-2017 12:09:26,7_3_10_000500_3851899
01-28-2017 12:09:26,7_3_10_000500_3851899
01-29-2017 12:09:26,7_3_10_000500_3851899
01-30-2017 12:09:26,7_3_10_000500_3851899
How can I write a search that extracts the FIRST entry so the final results would look like this
Date,Version
01-24-2017 12:09:26,7_3_10_000500_3851898
01-27-2017 12:09:26,7_3_10_000500_3851899
Thank you!!!
How about using the last
which returns the last seen (oldest) version as search is in reverse chronological order, something like this:
| inputlookup your csv name
| stats last(Date) by Version
| sort Version
Alternatively you can use first
to reverse the affect:
| inputlookup your csv name
| stats first(Date) by Version
| sort Version
Found it.....
dedup Version sortby +_time
Final query looks like this
(index=allmsos source=*Beta.csv*) |dedup Version sortby +_time|where Date!="Date" and Version!="Version"|eval newdatefield=strftime(strptime(Date, "%m-%d-%Y %H:%M:%S"), "%m-%d-%Y %a")|stats values(newdatefield) as Date values(Version) as Version
Well done. Please mark your answer accepted.
Note the version number change betweeen the 24th and the 27th