Solved: How to get latest 50 events based on real-time in ...

prasi_17894 · ‎04-22-2020

I am trying to fetch the latest 50 events by _time.

This is the search I used, putting required columns in a table:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table country, site, servicesName, servicesSuccessful, _time

There are only a few items in the search results, but there are at least a million events.

country site    servicesName      servicesSuccessful    _time
MX  02731   GetProductLocations true                   2020-04-22 16:20:53
CA  03739   GetItemInfoForBin      true               2020-04-22 16:20:53
MX  03866   GetProductLocations true                  2020-04-22 16:20:53
UK  04844   GetProductLocations true                  2020-04-22 16:20:53
NI  04396   GetProductLocations true                  2020-04-22 16:20:53

Expected results are shown below, fetching the latest 50 events by time per servicesName, site and country:

country  site   servicesName        servicesSuccessful  _time
MX      02731   GetProductLocations   true             2020-04-22 16:20:53
MX      02731   GetProductLocations   true             2020-04-22 16:18:53
MX      02731   GetProductLocations   false            2020-04-22 16:16:53
MX      02731   GetProductLocations   true             2020-04-22 16:15:53


MX      02731   GetProductLocations   true             2020-04-22 16:00:53


CA      03739   GetItemInfo           true             2020-04-22 16:20:53
CA      03739   GetItemInfo           true             2020-04-22 16:19:53
CA      03739   GetItemInfo           false            2020-04-22 16:18:53



CA      03739   GetItemInfo           true             2020-04-22 15:20:53

manjunathmeti · ‎04-22-2020

You can use stats command with latest function and head command:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel" 
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName 
| table servicesSuccessful, _time, servicesName, site, country
| stats latest(*) as *  by servicesName, site, country
| head 50

View solution in original post

manjunathmeti · ‎04-22-2020

You can use stats command with latest function and head command:

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel" 
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName 
| table servicesSuccessful, _time, servicesName, site, country
| stats latest(*) as *  by servicesName, site, country
| head 50

prasi_17894 · ‎04-23-2020

@manjunathmeti Thank you.
The below query worked.

index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table servicesSuccessful, _time, servicesName, site, country
| top 50 showcount=false showperc=false _time, servicesSuccessful by country, site, servicesName

How to get latest 50 events based on real-time in my search?

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update