Abstract
Learn more about the Cortex Query Language last_value()
navigation function that is used with a windowcomp
stage.
Syntax
windowcomp last_value(<field>) [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [between 0|null|<number>|-<number> [and 0|null|<number>|-<number>] [frame_type=range]] [as <alias>]
Description
The last_value()
function is a navigation function that is used in combination with a windowcomp stage. This function is used to return a single value of a field for the last row of each row in the group of rows in the current window frame, for all records that contain matching values for the fields identified using a combination of the by
clause, sort
(mandatory), and between
window frame clause.
Example
Return the last IP address a user authenticated from successfully.
preset = authentication_story | filter auth_identity not in (null, """""") and auth_outcome = """SUCCESS""" and action_country != UNKNOWN | alter et = to_epoch(_time), t = _time | bin t span = 1d | limit 100 | windowcomp last_value(action_local_ip) by auth_identity, t sort asc et between null and null as first_action_local_ip | fields auth_identity , *action_local_ip