How to display other fields of the "last" event.

Follow

David Combs

• July 12, 2016 21:28

I have update events containing fields: timestamp and computer-name. I want to know the last (more recent) timestamp that each computer was updated. How do I add the corresponding timestamp field to each computer of the report?

0

• 

  Kelly Hamm

  • July 13, 2016 20:33

  Hi David- how about something like this? If you're using a parsed field from the data set other than the sumo reserved _messagetime that's not epoch, you can put that in there and remove the formatdate line. | last(_messagetime) as last_event by computer_name | formatdate(lastEvent,"MM-dd-yyyy hh:mm") as lastevent https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/formatDate https://help.sumologic.com/Search/Search_Query_Language/aaGroup/first_and_last

  0

  Comment actions Permalink

Please sign in to leave a comment.