Hi,
I got an index which continuously receive new source file automatically, what I want is to my search to only return events from the last source file. Should be something simple but I did not figure it out, maybe with the |head command.
Like this (replace ...
with the exact same base search; yes, twice):
... [ ... | stats latest(source) AS source ]
Like this (replace ...
with the exact same base search; yes, twice):
... [ ... | stats latest(source) AS source ]
Yes!! In my case I have solved with head comand:
index=index1 source="file.csv" Status="Active" [search index=index1 source="file.csv" | dedup _time | head 1 | return _time] |...
Thanks!!!!
What about the Before Last?
Like this:
... NOT [ ... | stats latest(source) AS source ]
But I mean before last source file only
Did you try it? That's what it does.
Yes I tried, I have 20 source files for this index and when I do this I got 19, every each of them except the last one. What I need is only the 19th one. I already got the 20th with your answer, just need the before last.
Like this:
... [ ... | dedup source | reverse | list(source) AS source| eval source=mvindex(source,1) ]
You can then adjust the 1
to whichever one you would like.
That is really great but don't solve the problem, This search would only help if I had a fixed number of source files, the problems is: The index continuously receive new source file automatically, so I would need to change the search every time.
Sorry it worked, without the |reverse, look:
index="myindex" [search index="myindex" | dedup source |stats list(source) AS source| eval source=mvindex(source,2) ]
this bring myu before last source file events.
Thanks