I'm looking for help creating a search that returns all events from the last log indexed.
This is what i've tried but it doesnt return the events just the source.
| get all sources from metadata | sort all sources desending by time and only return the last one | join the main index on the source columns
| metadata type=sources | sort 1 recentTime desc
| fields source
| join source [search index=main | fields source]
... View more