i have a list of events , sorted by ip addresses , i would like to see only the latest event for each ip, i tried using head 1 but then it shows me only one IP with all its events, any suggestions?
BGP AND ((neighbor down) OR (neighbor up)) | rex "(?
If you know how many hosts you are looking at then you could do it this way:
<your search> | dedup IP_add | head X
I think this will show you the latest event for each IP_add. Just replace X with the number of IP addresses that you should be looking at.
If you know how many hosts you are looking at then you could do it this way:
<your search> | dedup IP_add | head X
I think this will show you the latest event for each IP_add. Just replace X with the number of IP addresses that you should be looking at.
thanks !! works just fine !!