Is there an simple way to get the last value of a field (@timestamp sorted) for each customer, hostname, etc.. For example : select logs-myindex-xxx | SORT (@timestamp) | STATS LAST (maxsize) BY customer, hostname... but where is no LAST or First stats function... any idea ?

This one got me for a bit as well. There is the TOP function which should be able to achieve this. Set limit to 1 and change order to act as a first/last function.

Getting LAST record in aggr in ES|QL

Elastic Stack Elasticsearch

jfsardon (Jean Francois Sardon Arraz) January 9, 2025, 9:23am 5

Sure ! Here's the request :
FROM logs-connectivity-qyyp | SORT @timestamp DESC | STATS lastState = TOP (stateStatus,1,"asc"), transitionTime=MAX(transitionTime) BY Client, hostname | WHERE lastState LIKE "Failed"

1 Like

Double Terms aggregation with top_hits sub-aggregation not working

Topic		Replies	Views
ESQL Get a specific field in the most recent document from a group of documents Elasticsearch esql	0	67	April 16, 2025
Query the last match by a field Elasticsearch	3	910	May 10, 2017
Get Laste Value of each host with Query DSL in Discover Kibana	4	657	November 5, 2021
Get last document string value in each bucket Elasticsearch	2	1845	January 30, 2021
Last and sum in Kibana ESSQL Kibana	1	325	July 23, 2021

Getting LAST record in aggr in ES|QL

Related topics