Hi, I’m struggling with some results I’m getting during a Group By transformation. Currently I’m loading logs through Loki, applying some labels as structured metadata. Here’s a breakdown of what values are applied during the ingestion:
- First line of the log:
- label
process_status= “Running” - label
process_start= log line timestamp
- label
- Last line of the log:
- label
process_status= “Completed” - label
process_end= log line timestamp
- label
In Grafana, my query shows this after applying the Extract Fields with the Label as source:
As you can see, process-1 has two rows, one with process_status of “Running” and one with “Failed.”
My goal with the Group By is to reduce the log file to a single line, grouping on the process, and setting the Status to the last value of process_status. I would assume that using the Last* calculation method would do this, but it doesn’t. However, using First* does.
The row for
process-2 has it’s process_status correct because there is only one record. However, when applying First Not Null to process_status on process-1, I get “Failed,” despite that “Failed” is attached to the later log line.
My question is, what are First and Last using to determine what is first or last? Is it the alphabetical order of the strings? The timestamp of the log line? I want to know the logic behind it so I can be sure it won’t throw curve balls at me when there are more than two statuses.
Thanks!