Specify a set of fields to select from events; for each field it will keep the field value of the most recent event with that field. This can be used to collect field values across a range of events, where each event contributes one or more fields to the output event. It is usually most useful in combination with groupBy().

ParameterTypeRequiredDefaultDescription
fields[string]true The names of the fields to keep. [a]

[a] When you provide only one parameter, the implied parameter is fields

Examples

Given event data like {id:a, from:x}, {id:a, to:x}, — a table with {id, from, to} tuples.

logscale
groupby(id, function=selectLast([from,to]))

There is no function for a logical opposite (select the first matching event for a given field) of the selectLast() function, but for an arbitrary array of values as in the previous example, the equivalent to selectLast([from,to]) query would be:

logscale
[
 { from = * | head(1) | select(from) },
 { to = * | head(1) | select(to) }
]

When working with the @timestamp field, the query:

selectLast([@timestamp])

Is equivalent to using max():

max(@timestamp)

The opposite operation can be achieved by using min():

min(@timestamp)