Specify a set of fields to select from events; for each field it will keep the field value of the most recent event with that field. This can be used to collect field values across a range of events, where each event contributes one or more fields to the output event. It is usually most useful in combination with groupBy().

fields[string]true The names of the fields to keep. [a]

[a] If an argument name is not given, fields is the default argument.

selectLast() Examples

Given event data like {id:a, from:x}, {id:a, to:x}, — a table with {id, from, to} tuples.

groupby(id, function=selectLast([from,to]))

There is no function for a logical opposite (select the first matching event for a given field) of the selectLast() function, but for an arbitrary array of values as in the previous example, the equivalent to selectLast([from,to]) query would be:

 { from = *
| head(1)
| select(from) },
 { to = *
| head(1)
| select(to) }

When working with the @timestamp field, the query:


Is equivalent to using max():


The opposite operation can be achieved by using min():