Hi folks, my dataset looks like this:
timestamp | id | userMail | reason |
t1 | id1 | a@example.com | test |
t2 | id1 | a@example.com | test |
t3 | id1 | a@example.com | test |
t2 | id2 | b@example.com | testtest |
t4 | id2 | b@example.com | ttt |
I want to group by id and userMail, then find the last (latest) record in each group. From the help document on latest/earliest function, it uses metadata field _time to find the latest row, how can I let latest function to use timestamp field in my case?
I know I can use something like eval _time = timestamp to overwrite the _time field, but want to know if there are better ways to achieve.
My second question is how to write the query, can i do in this way:
| eval _time=timestamp/pow(10,3)
| chart latest(*) by id, userEmail
Thanks!
@codewarrior wrote:My second question is how to write the query, can i do in this way:
| eval _time=timestamp/pow(10,3)
| chart latest(*) by id, userEmail
Also yes. As soon as you redefine _time, it behaves as the original _time. (In some use cases, you want to first rename the original in order to save its value. But for the stats that you are using it with, that is not necessary.)
Yes, you can. If you want to use search command, rename your timestamp _time; else you will need to do calculations in where command.