Specify a set of fields to select from events; for each field it
will keep the field value of the most recent event with that
field. This can be used to collect field values across a range
of events, where each event contributes one or more fields to
the output event. It is usually most useful in combination with
groupBy()
.
selectLast()
Examples
Given event data like {id:a, from:x}, {id:a, to:x}, — a table with {id, from, to} tuples.
groupBy(id, function=selectLast([from,to]))
There is no function for a logical opposite (select the first
matching event for a given field) of the
selectLast()
function, but for an
arbitrary array of values as in the previous example, the
equivalent to selectLast([from,to])
query
would be:
[
{ from = *
| head(1)
| select(from) },
{ to = *
| head(1)
| select(to) }
]
When working with the @timestamp field, the query:
selectLast([@timestamp])
Is equivalent to using max()
:
max(@timestamp)
The opposite operation can be achieved by using
min()
:
min(@timestamp)