I have this data set of data coming in multiple times a day.
I want to select all the latest timestamp and the latest timestamp of second to last date.
On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)
Note that ingestion is not consistent and there might be days where no data will come in.
1 2018-08-10 19:58:24.0
2 2018-08-11 01:14:43.0
3 2018-08-11 03:22:09.0
4 2018-08-11 06:28:03.0
5 2018-08-11 08:01:30.0
6 2018-08-11 09:08:25.0
7 2018-08-12 03:21:44.0
8 2018-08-12 23:52:02.0
9 2018-08-14 00:39:34.0
10 2018-08-14 03:09:33.0
11 2018-08-14 06:21:39.0
12 2018-08-14 07:53:53.0
@michaelrosello
How about something like this
it's a bit weird, I give you that but it works
here is the query:
\< your base search\> | stats first(_time) AS first_time, last(_time) AS last_time by date_mday | eval first_time=strftime(first_time, "%y-%d-%m %H:%M:%S"), last_time=strftime(last_time, "%y-%d-%m %H:%M:%S")
| rename first_time AS "Last Event", last_time AS "First Event" | table date_mday "First Event" "Last Event"
Hi,
First I have a question for you, is those data are in an index ? If yes, normally, you just have to do :
index=youIndex | head 3
If not, can you give us more detail on how you get those data ?
Kail
what do you mean exactly by that?
On this example below I want to get all of data with timestamp of 2018-08-14 07:53:53.0(latest today) and 2018-08-14 07:53:53.0(latest second to last date)
do you mean (earliest) and (latest)??