Oct 26 10:40:50 m eg[0]: group:group1 name:name1 size:10 speed:20
Oct 26 10:40:50 m eg[0]: group:group2 name:name5 size:10 speed:20
Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:20 speed:50
Oct 26 10:45:50 m eg[0]: group:group2 name:name5 size:10 speed:20
Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:1 speed:5
Oct 26 10:50:50 m eg[0]: group:group1 name:name2 size:10 speed:20
Oct 26 10:50:50 m eg[0]: group:group3 name:name3 size:10 speed:20
Oct 26 10:50:50 m eg[0]: group:group3 name:name4 size:10 speed:20
Oct 26 10:50:50 m eg[0]: group:group4 name:name5 size:10 speed:20
Oct 26 10:50:50 m eg[0]: group:group5 name:name6 size:10 speed:20
I have the above data. I'd like to find a way to only look at the latest entry for a certain name. So for example, 'name:name1' exists 3 times in the above results. The following line is the latest result for 'name:name1':
Oct 26 10:45:50 m eg[0]: group:group1 name:name1 size:1 speed:5
It should therefore only include that item in the results. It should then do the same for all the others so that I only have one of each 'name:name?' and each one should be the latest found in the results.
How would I do this?
Ok try this and let me know what you get. I'm assuming you have a field extracted for the nameX value called name.
<your search>| eventstats latest(name) by _time, name | dedup name | table name, _raw, _time
This will show the latest individual values for each 'name' field value you have. You can do whatever you want with the table to show whatever fields you want later. Take out the dedup and you'll be able to see all records and make sure that you are in fact getting the latest one. Pick a set period of time by using earliest=-10m latest=-5min before the first pipe in your search. I'm still trying to play with it still to see how to do this in a cleaner way without dedup.
Ok try this and let me know what you get. I'm assuming you have a field extracted for the nameX value called name.
<your search>| eventstats latest(name) by _time, name | dedup name | table name, _raw, _time
This will show the latest individual values for each 'name' field value you have. You can do whatever you want with the table to show whatever fields you want later. Take out the dedup and you'll be able to see all records and make sure that you are in fact getting the latest one. Pick a set period of time by using earliest=-10m latest=-5min before the first pipe in your search. I'm still trying to play with it still to see how to do this in a cleaner way without dedup.
Worked exactly in the way I needed it to. Thanks
This worked for me. Thanks a lot