I have multiple log sources that are appended on a daily basis. All rows in one refresh have same epoch time. I would like to select all values from each log source based on last epoch time.
I get the last collection epoch by following stats
sourcetype=my_sourcetype | fields epochtime, source | stats max(epochtime) as lasttime by source
This gives me a list of epoch value with each source.
Next, I am trying to filter based on above as follows
sourcetype=my_sourcetype |rename epochtime as lasttime | join type=inner lasttime, source[ search sourcetype=my_sourcetype | fields epochtime, source | stats max(epochtime) as lasttime by source ]
Expecting that it would filter like SQL filter where a.lasttime=b.lasttime and a.source=b.source but it seems like I get for each epoch, multiple events from the main query.
How do I change this query to filter based on the results in stats?
↧