Now, when i search via the tstats command like this:
| tstats summariesonly=t
| rename dm_main.* AS *
I only get either a value for sensor_01 OR sensor_02, since the latest value for the other is a blank...
I tried reaching around that by using list(), but its not available for tstats.
Then I tried using values(), which gives me the values I need, but in alphabetically order. But I need to know the lastest.
Is there a way with tstats to search for LATEST NOT NULL?
the fields in Question are not native to the sourcetype, they are calculated fields:
You are on the correct path, you should avoid using empty sets in any fields unless some very specific use cases. Your evals should be this EVAL-sensor_01 = if(valueName="raw_sensor_01", value, null()) The null() command makes it a null value instead of an empty set.
If this comment/answer was helpful, please up vote it. Thank you.