Skip to main content

Hi team,

I am building a dashboard to show the top detections. For this, I am creating a table view with columns for detection title and counts. It's pretty simple—I have used the detection title and the product log id with count measure to achieve this. However, I am facing an issue.

Let's say, for product log id = 1, the title is abc. After some time, a new record gets ingested with the same product log id = 1 but with the title xyz. With the current approach, I get two rows: abc, 1 and xyz, 1. However, I only need xyz, 1, as it is the latest record.

In summary, I want to deduplicate the product log id by selecting only the most recently ingested record for each ID. Is this possible? If yes, please let me know how.

Thanks

cc: jstoner

 

Here is an example of what I believe you are driving for and hopefully the couple of ideas here will get you going in the direction you are driving...


The following query will give me a listing of the rule_id, rule_name, date and detection count. So in my results you can see I have a large number of dns_query_first_seen_past_day rules that fired. The rule id is a good way field to use in case the rule_name in detection gets duplicated in another rule btw.


 



$rule_id = detection.detection.rule_id
$rule_name = detection.detection.rule_name
$date = timestamp.get_timestamp(detection.detection_time.seconds, "%F %T")
match:
  $rule_id, $rule_name, $date
outcome:
  $d_count = count($rule_id)
order:
  $date asc


A snippet of my results are above. I think this is what you are describing, in general with the exception that i don't have the same rule name on two different rules, but this is why i tend to prefer to use rule_id as a good value and then bring the name along for the human readable part.


 For the second part of the question,  let's revamp our query slightly. This time, we are moving the date out of the filtering statement and the match section and we are going to group on that same rule_id and rule_name but now we are going to return the max value of the detection by time and then use the get_timestamp function to make it nicely formatted. We will still count the number of detection in the past month by the rule_id and rule_name combination, but now in our results we have a single row for each rule_id/rule_name combo with the count of detections and the max detection time which would be the last time that rule triggered.


 



$rule_id = detection.detection.rule_id
$rule_name = detection.detection.rule_name
match:
  $rule_id, $rule_name
outcome:
  $d_count = count($rule_id)
  $date = timestamp.get_timestamp(max(detection.detection_time.seconds), "%F %T")
order:
  $date asc


 



Hope this helps! 


 


Thanks @jstoner 

It seems that the above solution is for the Preview Dashboards, but I am looking for the normal Dashboards.

Hi @GaurangPatel,

The below should work, import this into the Looker based dashboard solution:

lookml:
- dashboard: latest_record
description: ""
elements:
- col: 0
column_limit: 50
conditional_formatting_include_nulls: false
conditional_formatting_include_totals: false
defaults_version: 1
enable_conditional_formatting: false
explore: rule_detections_connector
fields:
- rule_detections__detection.rule_id
- rule_detections__detection.rule_name
- rule_detections.committimestamp_max_second
- rule_detections__detection.count
header_font_size: 12
header_text_alignment: left
height: 7
hide_row_totals: false
hide_totals: false
limit: 500
limit_displayed_rows: false
model: scn
name: Untitled
row: 0
rows_font_size: 12
show_row_numbers: true
show_view_names: false
size_to_fit: true
sorts:
- rule_detections.committimestamp_max_second desc 0
table_theme: white
title: Untitled
transpose: false
truncate_text: true
type: looker_grid
width: 18
layout: newspaper
title: Latest Record
metadata:
exported_at: "2025-02-11T04:18:40-08:00"
file_fingerprint: "125426485073724995716803761615960826218"
looker_version: 24.18.128
version: "1"


Kind Regards,



Ayman

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.