I have multiple records with different data_set value. I want to get each data_set record at a time. So tried using count when count is 1 display n-1 record if count is 2 display n-2 record and so on..
I tried using dedup but the list of column will vary so data mismatch was happening. So thought to get the data based on data_timestamp which is the data specific time. With this I am only able to get the latest record by using the latest timestamp by field. But not able to fetch n-1, n-2 etc... records data_timestamp
Here is the query used to get the latest record:
index="test" source="test_source" | where data = "data_1" and data_set IN ("set_1",set_2","set_2") and data_tag = "tag_1" | stats latest(data_timestamp) as data_timestamp by data_set | table data_timestamp | format