Hello, I am trying to take a search like this
`index=public sourcetype=public1* OR sourcetype=public2* newyork* earliest=60m@m | convert ctime(_time) as time | stats latest(time) by device, sourcetype`
device sourcetype latest(time)
newyorkdevice1 public1 11/10/2019 00:32:00.000
newyorkdevice1 public2 11/10/2019 00:32:00.000
newyorkdevice2 public1 11/10/2019 00:32:00.000
newyorkdevice2 public2 11/10/2019 00:32:00.000
and get an output like this
device public1 public2
newyorkdevice1 11/10/2019 00:32:00.000 11/10/2019 00:32:00.000
newyorkdevice2 11/10/2019 00:32:00.000 11/10/2019 00:32:00.000
Any help or advice is appreciated
↧
