Example data;
(This is one run of a DBX dump input to an index.)
ComputerName1, Application1, _time1
ComputerName1, Application2, _time1
ComputerName1, Application3, _time1
ComputerName1, Application4, _time1
ComputerName1, Application5, _time1
ComputerName2, Application1, _time2
ComputerName2, Application2, _time2
ComputerName2, Application3, _time2
It appears that a DBX dump of the query we are using results in a different '_time' index stamp for each ComputerName. Which... was unexpected behavior but may work to advantage.
When the DBX input runs again, there will be another set of similar data per machine, but the '_time' index stamp will be more recent in time.
Using 'dedup' compresses all the records into the latest single record.
Using '| stats values(ComputerName), latest(_time) by Application' works for a single dump. However any additional dumps would cause issues. For example; If I uninstall an application, this would still bring back the old application with the earlier '_time' index stamp.
Is there a way somehow to group these sets of results individually? The verbal wanted results would be along the lines of; "Return the latest snapshot of a computer, based on it's most recent indexing, which should not include any prior index runs."
This is an example of the data when continued inputs are run;
ComputerName1, Application1, _time1
ComputerName1, Application2, _time1
ComputerName1, Application3, _time1
ComputerName1, Application4, _time3
ComputerName1, Application5, _time3
ComputerName2, Application1, _time2
ComputerName2, Application2, _time2
ComputerName2, Application3, _time4
I want to return;
ComputerName1, Application4, _time3
ComputerName1, Application5, _time3
ComputerName2, Application3, _time4
As they are the latest run of a set, per machine.
Edit 3/26/2014;
Using this query gets the correct data, but the application name is turned into a multikey value;
index=foo name=bar | transaction name _time | dedup name | table name, product, scantime, _time
So the table output is;
name, (product1, product2, product3), _time
... View more