I need to find the first and the last inserts of sources in events:
FROM *.events.* | KEEP @timestamp,source
| stats latest=max(@timestamp) by source
FROM *.events.* | KEEP @timestamp,source
| stats first=min(@timestamp) by source
Now I create two dataframes and merge them based on source
But can a do this in ESQL:
Not working examples:
# ROW can only take constants:
FROM *.events.* | KEEP @timestamp,source
| ROW latest=max(@timestamp), first=min(@timestamp)
# stats cut off @timestamp
FROM *.events.* | KEEP @timestamp,source
| stats latest=max(@timestamp) by source
| stats first=min(@timestamp) by source
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.