We tried this search below:
index=test | eval dup=_raw | convert ctime(_time) as T1 | transaction dup mvlist=t maxspan=1s keepevicted=true | where eventcount>1
And these are sample events:
_time : 4/9/2015 12:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
_time : 4/9/2015 12:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
_time : 4/9/2015 12:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
time : 4/9/2015 13:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
time : 4/9/2015 13:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
time : 4/9/2015 14:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
time : 4/9/2015 15:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
I want latest events like the example below, remove the other events without using dedup command,
time : 4/9/2015 15:00:01 :-----host:foo1, source:foo2, source type:foo3, Date:foo4,status=foo5,Name=foo6.
... View more