Hi All, looking for some advice as in how to take the latest values from 2 datasets . We have a base search that pulls user details like name, start_date, end_date, title, location etc from an index...
See more...
Hi All, looking for some advice as in how to take the latest values from 2 datasets . We have a base search that pulls user details like name, start_date, end_date, title, location etc from an index =okta. name start_date end_date title user_id John Smith 2021-06-28T23:59:59.00+05:30 2025-06-28T23:59:59.00+05:30 Consultant 001 The above index has the most current data of a user. Next we have another master lookup file (identities.csv) where we maintain all user details from past few years. This master lookup also contains same fields as the above index. For example: name start_date end_date title user_id John Smith 2021-06-28T23:59:59.00+05:30 2022-06-28T23:59:59.00+05:30 Administrator 001 Notice the end _date and title are different in the lookup. Below is our current search that compares the 2 datasets. We want it to update the date fields or any other field whichever is the latest but at the moment it does NOT update the fields even if any field like end_date or title is modified under index. index=okta
stats latest(_time) as _time, values(profile.title) as title, values(profile.email) as email, values(profile.startDate) as start_Date,values(profile.endDate) as end_Date, values(profile.Name) as Name by user_id
| append [|inputlookup identities.csv]
|stats latest(_time) as _time, latest(profile.title) as title, latest(profile.email) as email, latest(profile.startDate) as start_Date,latest(profile.endDate) as end_Date, latest(profile.Name) as Name by user_id
| table Name title start_date end_date user_id Running the above query still shows the old info which has the old end_date and title even though i am using |stats latest() . Pls advise how to retrieve the latest be it date format or be it string format which is "title" name start_date end_date title John Smith 2021-06-28T23:59:59.00+05:30 2022-06-28T23:59:59.00+05:30 Administrator