vefviva.blogg.se

Now, we have used “| stats latest(_raw)”, which is the giving the event (the value of “_raw” field)which has the most recent timestamp( chronologically latest). Timestamp ( chronologically latest event).Įxample: 4 index=info | table _time,_raw | stats latest(_raw) This function is used to retrieve the event which has most recent If you will check the image 1, you can see the oldest timestamp value in “_time” field is “ 11:34:23” and using “ | stats earliest(_raw)” function we are getting the value of “_raw ” field associated with that time which is “ Wed Ap11:34:23 Saheb is 15 years old.”. Now, we have used “| stats earliest(_raw)”, which is the giving the event(the value of “_raw” field) which has the oldest timestamp ( chronologically earliest). NOTE: Chronological order defines ordering events in accordance withĮxample:3 index=info | table _time,_raw | stats earliest(_raw) This function is used to retrieve the event with the oldest timestamp From the result set according to the order of events which is “ Wed Ap11:34:23 Saheb is 15 years old.” ( Irrespective of the timestamp). If you will compare this with image 1 you will understand this value of “_raw” with the timestamp “ 11:34:23” is the last event or the value in the “_raw” field. Or, in the other words you can say it’s giving the last value in the “ _raw” field. We have used “ | stats last(_raw)”, which is giving the last event or the bottom event from the event list. This function is used to retrieve the last seen value of a specified field.Įxample:2 index=info | table _time,_raw | stats last(_raw) From the result set according to the order of events which is “ Wed 12:00:07 Sneha is 18 years old” ( irrespective of the timestamp). If you will compare this with image 1 you will understand this value of “_raw” with the timestamp “ 12:00:07” is the first event or value of “_raw” field. Or, in the other words you can say it’s giving the first seen value in the “_raw” field. We have used “ | stats first(_raw)”, which is giving the first event from the event list.

This function is used to retrieve the first seen value of a specified field.Įxample:1 index=info |table _time,_raw | stats first(_raw) Now, we will show you the usage of these functions on this event set. Please, see the below image to see how the result of this query looks like. To show the usage of these functions we will use the event set from the below query. Those are, first(), last() ,earliest(), latest(). Today we have come with a new interesting topic, some useful functions which we can use with stats command.