Query to get latest timestamp


    Kevin Keech

    try this:


    | parse "event=*," as eventId

    | parse "userId=*," as userId

    // _messagetime is an internal field representing the time the message occured.

    // max(_messagetime) pulls out the maximum ("latest") _messagetime for each group.

    // There's one group for each userId, because you are aggregating on it.

    | count, max(_messagetime) as last_login_time by userId

    // Need a quick cast to tell Sumo that this is actually a long (millis since epoch).

    | toLong(last_login_time)

    // And finally, the magic incantation to turn a timestamp into a string based on

    // a supplied format. The format string follows the Java SimpleDateFormat.

    | formatDate(fromMillis(last_login_time), "yyyy-MM-dd HH:mm:ss.SSS") as last_login_time

