How to list the latest time logs for the hosts grouped by source?
Please see the attached image for reference for example.
I think you are looking for something like this :
index=<your_index>
| stats latest(_time) as latest by source host
| eval "Latest Log Time"=strftime(latest,"%I:%M:%S %p")
| fields- latest
Above will be much slower query so you can also use the query given by @FrankVl for faster approach.
In addition to that
| tstats latest(_time) as latest where index=<your_index> by source,host
| eval "Latest Log Time"=strftime(latest,"%I:%M:%S %p")
| fields- latest
You need to put <your_index>
as your index name
.
let me know if this helps!
| tstats latest(_time) as latest where index=* by source,host | convert ctime(latest)
Replace index=* by whatever you fancy 🙂