Hello,
I am trying to create a report that only looks at the latest events by a sourcetype.
The sourcetype is an indexed text file, and it its pulls in the events every time the file changes.
This is the working search:
index=ops sourcetype="csv-marketData" earliest=-12h@h | where Price!="NA"
| eval cal_mkt_cap=round(Share_Outstanding * Price,3)
| eval rnd_MKT_CAP = round(MARKET_CAP,3)
| eval perc_range = (cal_mkt_cap / rnd_MKT_CAP)*100
| where perc_range < 99
| eval rnd_perc = round(perc_range,2)
| rename cal_mkt_cap as "Calculated MKT CAP"
| rename rnd_MKT_CAP as "Provided MKT CAP"
| rename rnd_perc as "%"
| table ID "Calculated MKT CAP" "Provided MKT CAP" "%"
I would like this table to only show results from the latest set of events. each event set has the same _time value. new events can come in minutes apart of once daily, so I would like to always be reviewing the indexed file.
Thanks for your help.
↧