So I have a search that I am building, though the results must be output into a table, due to not all fields being present in all instances. Think of this as an 'inventory' type of data input, where some machines have 2 NIC's, 4 HDD's, and others have 8 NIC's and 10HDD's, etc..
I have written a script to collect all of this data, though I am attempting to get the 'latest' results from the past 2 days. If I could use stats
it would be very easy | stats latest(host) by field field field field
although stats doesn't allow for some fields simply not being present.
When I use table
I can easily populate the data, though I must dedup
the data first, and I want to be sure I'm getting the latest data.
Is there a way to do this with table somehow?
My suggestion was going to be exactly what @somesoni2 mentioned because your existing | STATS command is backwards of what you want. If you use FILLNULL first, then you can make sure all of your fields have some kind of value:
... your search ... | fillnull field1, field2, field3, field4 value="n/a" | stats latest(field1) as field1, latest(field2) as field2, etc...
If the events you are looking at have all of the relevant fields in a single event, you should be able to use TABLE if you use the SORTBY option with DEDUP first:
... your search ... | dedup host sortby -_time | table host, field1, field2, field3, etc
Just to clarify, do you want the latest host to report all of those fields? Or are you really trying to get the most recent fields reported by each host?
I am trying to get the latest entry for every field. Stats will not work, as I've mentioned that not all fields are existent in each instance. stats just causes 'no results' to be found.
Why not do other way around?
...| stats latest(field1) as field1 latest(field2) as field2... by host
Unfortunatley, this will not work, due to not all fields being present in all instances. stats just causes a 'no results' result set.
Try something like this
your base search | fillnull field1 field2... ...| stats latest(field1) as field1 latest(field2) as field2... by host