I am trying to fetch the latest 50 events by _time .
This is the search I used, putting required columns in a table:
index=intlims country!=US appSection!=DSIM* AND appSection!=Features AND appSection!=Price* services{}.name!="EvaluateIMSRule" AND services{}.name!="printShelfLabel"
| rename services{}.successful as servicesSuccessful, services{}.name as servicesName
| table country, site, servicesName, servicesSuccessful, _time
There are only a few items in the search results, but there are at least a million events.
country site servicesName servicesSuccessful _time
MX 02731 GetProductLocations true 2020-04-22 16:20:53
CA 03739 GetItemInfoForBin true 2020-04-22 16:20:53
MX 03866 GetProductLocations true 2020-04-22 16:20:53
UK 04844 GetProductLocations true 2020-04-22 16:20:53
NI 04396 GetProductLocations true 2020-04-22 16:20:53
Expected results are shown below, fetching the latest 50 events by time per servicesName, site and country:
country site servicesName servicesSuccessful _time
MX 02731 GetProductLocations true 2020-04-22 16:20:53
MX 02731 GetProductLocations true 2020-04-22 16:18:53
MX 02731 GetProductLocations false 2020-04-22 16:16:53
MX 02731 GetProductLocations true 2020-04-22 16:15:53
MX 02731 GetProductLocations true 2020-04-22 16:00:53
CA 03739 GetItemInfo true 2020-04-22 16:20:53
CA 03739 GetItemInfo true 2020-04-22 16:19:53
CA 03739 GetItemInfo false 2020-04-22 16:18:53
CA 03739 GetItemInfo true 2020-04-22 15:20:53
... View more