I do a query in which I get multiple messages for each day. I want to get the first message for the day(or any single message for each day).
Getting the day is no problem:
display datefloor(@timestamp,1d) as TT ,msg
But from here, I am not sure how to remove the duplicates, or group by TT and select the first one. There is no function first in stats to help me.
Thanks.
This works
....
| display datefloor(@timestamp,1d) as TT ,b
| stats earliest(b) as x by TT
| display x,TT