So I have a search that I am building, though the results must be output into a table, due to not all fields being present in all instances. Think of this as an 'inventory' type of data input, where some machines have 2 NIC's, 4 HDD's, and others have 8 NIC's and 10HDD's, etc..
I have written a script to collect all of this data, though I am attempting to get the 'latest' results from the past 2 days. If I could use
stats it would be very easy
| stats latest(host) by field field field field although stats doesn't allow for some fields simply not being present.
When I use
table I can easily populate the data, though I must
dedup the data first, and I want to be sure I'm getting the latest data.
Is there a way to do this with table somehow?
My suggestion was going to be exactly what @somesoni2 mentioned because your existing | STATS command is backwards of what you want. If you use FILLNULL first, then you can make sure all of your fields have some kind of value:
... your search ... | fillnull field1, field2, field3, field4 value="n/a" | stats latest(field1) as field1, latest(field2) as field2, etc...
If the events you are looking at have all of the relevant fields in a single event, you should be able to use TABLE if you use the SORTBY option with DEDUP first:
... your search ... | dedup host sortby -_time | table host, field1, field2, field3, etc
I am trying to get the latest entry for every field. Stats will not work, as I've mentioned that not all fields are existent in each instance. stats just causes 'no results' to be found.