Yes!! In my case I have solved with head comand:
index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...
Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.
... [ ... | dedup source | reverse | list(source) AS source| eval source=mvindex(source,1) ]
You can then adjust the
1 to whichever one you would like.
That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.
Sorry it worked, without the |reverse, look:
index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]
this bring myu before last source file events.