Specify a set of fields to select from events; for each field it will keep
the field value of the most recent event with that field. This can be used
to collect field values across a range of events, where each event
contributes one or more fields to the output event. It is usually most
useful in combination with groupBy()
.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fields
can be omitted; the following forms of this function are equivalent:logscale SyntaxselectLast(["value"])
and:
logscale SyntaxselectLast(fields=["value"])
These examples show basic structure only.
selectLast()
Examples
Given event data like {id:a, from:x}, {id:a, to:x}, — a table with {id, from, to} tuples.
groupby(id, function=selectLast([from,to]))
There is no function for a logical opposite (select the first matching
event for a given field) of the selectLast()
function, but for an arbitrary array of values as in the previous
example, the equivalent to selectLast([from,to])
query would be:
[
{ from = *
| head(1)
| select(from) },
{ to = *
| head(1)
| select(to) }
]
When working with the @timestamp field, the query:
selectLast([@timestamp])
Is equivalent to using max()
:
max(@timestamp)
The opposite operation can be achieved by using
min()
:
min(@timestamp)