Identifies the event with the minimum value in a specified field and returns selected fields from that event.

The resulting event contains only the fields specified in the include parameter.

If multiple events share the same minimum value, the selectFromMin() function returns one of those events randomly (non-deterministic way).

ParameterTypeRequiredDefault ValueDescription
field[a]stringrequired   The name of the field that is used to find the minimum value.
includearray of stringsrequired   The names of the fields to include in the generated event.

[a] The parameter name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

selectFromMin() Syntax Examples

Find the first value of a field x (and when that value was from):

logscale
selectFromMin(@timestamp, include=[x, @timestamp])

This selects the event with minimum value of @timestamp that also contains the specified field x, and returns an event with fields @timestamp and x only.

Click + next to an example below to get the full details.

Find Oldest (First) Value of Field X

Find the oldest (first) value of field X using the selectFromMin() function

Query
logscale
selectFromMin(@timestamp, include=[x, @timestamp])
Introduction

In this example, the selectFromMin() function is used to find the oldest (first) value of the field x and return the timestamp when that value was recorded.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    selectFromMin(@timestamp, include=[x, @timestamp])

    Sorts all events by timestamp, then selects the event in field x with the oldest (lowest) timestamp, returning only the specified fields x and @timestamp.

    In this example, selectFromMin() filters for the "minimum value" of @timestamp, and finds the event with the oldest/first timestamp in the event set that also contains the specified field x. Timestamps are typically stored as numerical values (often in Unix epoch format), where lower numbers represent older times.

    The include parameter is used to specify which fields to include in the output.

  3. Event Result set.

Summary and Results

The query is used to find the oldest value of field x by selecting the event with the lowest (oldest) timestamp value.

Using this query is an efficient way to find the first value since it does not require sorting all results or using other aggregation functions - the query directly selects the oldest matching event.