@flzhang132

Have you tried this?

YOUR_SEARCH
| stats latest(project) as project latest(_time) as _time by vm_id

Sample Search:

| makeresults | eval project="erp",vm_id=100,_time=now()-180 | append [| makeresults | eval project="erp",vm_id=100,_time=now()-120] | append [| makeresults | eval project="ems",vm_id=100,_time=now()-60] | append [| makeresults | eval project="mcs",vm_id=101,_time=now()-180] | append [| makeresults | eval project="mcs",vm_id=101,_time=now()-120] | append [| makeresults | eval project="mes",vm_id=101,_time=now()-60] | stats latest(project) as project latest(_time) as _time by vm_id

Thanks