Hello all.
I have Loki ingesting logs from a lot of files, via promtail ; rsyslog is feeding those files.
Every file has its own tag ( excerpt from promtail.yaml ):
labels: job: extlog3 customer: customername __path__: /srv/data/extlog/customername/*log
I’m trying to build a panel to show the timestamp of the last event, for every log file ; I’m not interested in firing alerts, just in having a look, every now and then, if everithing works fine
In splunk I use this simple query, that selects every last event, by host, and sort them by time in reverse order ( the oldest last )
| tstats latest(_time) as _time where index=$indexname by host | sort -_time
and generates this panel
I cannot find the way to reproduce this, in logql I can’t even find the “latest” function, or a way to emulate/simulate it …
Thanks for suggestions