You must enable the
flag to use this function. See
Enabling/Disabling Features for more information.
Selects the maximum value of the specified field, and then generates an event with the specified fields from the matcing event.
|string||true||The names of the field to use to calculate minimum value.|
|[string]||true||The names of the fields to include in the generated event.|
Find the first value of a field x (and when that value was from)?
selectFromMax(@timestamp, include=[x, @timestamp])
This selects the maximum value of
contains an event with the specified field and the corresponding