I have a search that should be fairly simple, and cannot figure out how to do it.
I want to show the latest result for a string one per hostname. Want to do this in KQL if possible.
I don't think you'll be able to on Discover - because we're grouping on hostname we'll need to use aggregations.
Using the data table visualization you'll want to the Y axis metric using top hits, sorted on timestamp, On the x axis, a terms aggregation on hostname. The search string can be included in the search bar. Is that closer to what you're looking for?
That will work. Thank you for your help. Got the results i was looking for.
Brad
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.