Basically I want to know if there’s an implementation for this kind of condition:
max(Index) by Version
What you’re asking for seem to be precisely how you would call max with stats:
index=ndx sourcetype=srctp Version=* datacenter=*
| stats max(Version) by datacenter
Does that not do what you’re looking for?
from User warren – Stack Overflow https://stackoverflow.com/questions/73659718/splunk-how-to-implement-maxindex-by-version/73662378#73662378
via IFTTT