Hi,
I have two searches that I would like to combine but I would like to remove the duplicate with the Latest_Time.
My two searches:
| metadata type=hosts **index=os** | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time
Example output:
host Latest_Time totalCount
addc1-pprd 1/14/2015 13:21 105
adfsproxy01-pprd 1/14/2015 13:41 1603
adfs02-pprd 1/28/2015 15:10 55
| metadata type=hosts index=msad | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time
Example output:
Index=msad
host Latest_Time totalCount
addc1-pprd 1/26/2015 11:24 39685239
adfsproxy01-pprd 1/26/2015 11:23 7090659
adfs02-pprd 1/26/2015 11:24 4624827
ADDC2-PPRD 1/26/2015 11:24 49067658
I would like to see the search to generate this information:
Combined
host Latest_Time totalCount
addc1-pprd 1/26/2015 11:24 39685239
adfsproxy01-pprd 1/26/2015 11:23 7090659
adfs02-pprd 1/28/2015 11:24 55
ADDC2-PPRD 1/26/2015 11:24 49067658
I'm guessing that a dedup would be used but I'm a bit stymied
Thanks in advance for your help!
If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.
If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.
Thank you for your response. I'll give that a try.
any luck??
Yes. Thank you!
dedup on the end did the trick
Hi @gsteffen
Glad you found an answer through @dflodstrom 🙂 don't forget to officially accept their answer by clicking on "Accept" directly below their response and also upvote it by clicking on the up arrow on the left side of the answer.
Cheers!
Patrick