Transforms - Latest and Pivot

Hello,

I was wondering if its possible to do something like a combination of latest and pivot or maybe more understanding of what I can do with each.

So use case:
I have status field(keyword) reported for object field (keyword) into time series log ingestion. The problem is a status value of "up" might appear in the last 7 days, the status field won't reappear unless an event triggers and reports the value of "down". So I want to be able to show a static or updated index that can show the object, status, and the last value of the timestamp (the time the value was updated). Essentially an health overview of object values.

I did try this with latest, and it did keep the most latest value of status, its @timestamp was the last value of timestamp. This doesn't work for me because the overview of all objects and status varied depending on time range.

I want it to be static, so I used a pivot. The pivot did a great job at keeping a static index, but now I can't determine when the values were last updated.

I might be overthinking this, any help would be great!

Hello,

its possible to do something like a combination of latest and pivot

Unfortunately, no, you can only choose one type, either latest transform or pivot transform.

So use case:
I have status field ...

It is a bit hard to understand your use case from the description. It will be more useful if you could post part of your source data (mask the sensitive information) , then tell what you want it to be transformed to.

I want it to be static, so I used a pivot. The pivot did a great job at keeping a static index, but now I can't determine when the values were last updated.

Have you checked our painless examples for pivot transform? You might be able to find some similar case from there.

Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.