Specify a set of fields to select from events; for each field it will keep the field value of the most recent event with that field. This can be used to collect field values across a range of events, where each event contributes one or more fields to the output event. It is usually most useful in combination with groupBy().

ParameterTypeRequiredDefault ValueDescription
fields[a]Array of stringsrequired  The names of the fields to keep.

[a] The argument name fields can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

selectLast() Examples

Given event data like {id:a, from:x}, {id:a, to:x}, — a table with {id, from, to} tuples.

logscale
groupby(id, function=selectLast([from,to]))

There is no function for a logical opposite (select the first matching event for a given field) of the selectLast() function, but for an arbitrary array of values as in the previous example, the equivalent to selectLast([from,to]) query would be:

logscale
[
 { from = *
| head(1)
| select(from) },
 { to = *
| head(1)
| select(to) }
]

When working with the @timestamp field, the query: 

selectLast([@timestamp])

Is equivalent to using max(): 

max(@timestamp)

The opposite operation can be achieved by using min(): 

min(@timestamp)