I have two searches that I would like to combine but I would like to remove the duplicate with the Latest_Time.
My two searches:
| metadata type=hosts **index=os** | convert ctime(recentTime) as Latest_Time | table host, Latest_Time, totalCount | sort Latest_Time
host Latest_Time totalCount addc1-pprd 1/14/2015 13:21 105 adfsproxy01-pprd 1/14/2015 13:41 1603 adfs02-pprd 1/28/2015 15:10 55
| metadata type=hosts index=msad | convert ctime(recentTime) as LatestTime | table host, LatestTime, totalCount | sort Latest_Time
Index=msad host Latest_Time totalCount addc1-pprd 1/26/2015 11:24 39685239 adfsproxy01-pprd 1/26/2015 11:23 7090659 adfs02-pprd 1/26/2015 11:24 4624827 ADDC2-PPRD 1/26/2015 11:24 49067658
I would like to see the search to generate this information:
Combined host Latest_Time totalCount addc1-pprd 1/26/2015 11:24 39685239 adfsproxy01-pprd 1/26/2015 11:23 7090659 adfs02-pprd 1/28/2015 11:24 55 ADDC2-PPRD 1/26/2015 11:24 49067658
I'm guessing that a dedup would be used but I'm a bit stymied
Thanks in advance for your help!
If you use " | sort - Latest_time | dedup host " it should sort on time with the latest on top and the dedup the results by host keeping the value that appears first which will be the latest entry.
Glad you found an answer through @dflodstrom 🙂 don't forget to officially accept their answer by clicking on "Accept" directly below their response and also upvote it by clicking on the up arrow on the left side of the answer.