We have a job which routinely creates an outputlookup containing the time (timestamp) it has completed a successful summary index.
We'd like to use this information in a dashboard such that the earliest is max(timestamp)
idea:
index=some_index_summary earliest=the max(timestamp) from my inputlookup
Doing earliest
and latest
in a subsearch is tricky and requires special handling, including only using integer values and eliminating double-quotes. Try this for your subsearch; it will work unless timestamp
is not a number (it must be a time_t
😞
index=some_index_summary [|inputlookup my_inputlookup | stats max(timestamp) AS earliest
| format "" "" "" "" "" ""
| rex field=search mode=sed "s/\"//g"]
Doing earliest
and latest
in a subsearch is tricky and requires special handling, including only using integer values and eliminating double-quotes. Try this for your subsearch; it will work unless timestamp
is not a number (it must be a time_t
😞
index=some_index_summary [|inputlookup my_inputlookup | stats max(timestamp) AS earliest
| format "" "" "" "" "" ""
| rex field=search mode=sed "s/\"//g"]
Thanks a lot. It works.
hi @morethanyell
Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
it does not work
@morethanyell
Can you please try this?
index=some_index_summary [ | inputlookup mylookup | stats max(timestamp) as earliest | field earliest]
it does not work.