topic Why are stats functions first() and latest() not returning the same result? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-are-stats-functions-first-and-latest-not-returning-the-same/m-p/472155#M132849 <P>Hello,</P> <P>I am a little bit confused by the functions <CODE>latest()</CODE> and <CODE>earliest()</CODE>.<BR /> Running this search:</P> <PRE><CODE>index=myindex sourcetype=mysourcetype | stats first(myfield) latest(myfield) earliest(myfield) last(myfield) by sourcetype </CODE></PRE> <P>Gives us</P> <PRE><CODE> first(myfield) latest(myfield) earliest(myfield) last(myfield) 1434767753.755 1434767758.840 1383228859.223 1383228859.223 </CODE></PRE> <P>It is, from my point of view, normal to have the same value returned by <CODE>earliest()</CODE> and <CODE>last()</CODE>, as we did not change the order of the events. I am surprised to receive different values for <CODE>first()</CODE> and <CODE>latest()</CODE>.</P> <P>If we run:</P> <PRE><CODE>index=myindex sourcetype=mysourcetype | head 1 | table myfield </CODE></PRE> <P>We get:</P> <PRE><CODE>myfield 1434767758.840 </CODE></PRE> <P>The value returned by <CODE>latest()</CODE> seems to be correct. What is returned by <CODE>first()</CODE>?</P> <P>Regards</P> <P>PS - We are running on Splunk Enterprise 6.2.3</P> Sat, 20 Jun 2015 22:01:11 GMT afieffe 2015-06-20T22:01:11Z Why are stats functions first() and latest() not returning the same result? https://community.splunk.com/t5/Splunk-Search/Why-are-stats-functions-first-and-latest-not-returning-the-same/m-p/472155#M132849 <P>Hello,</P> <P>I am a little bit confused by the functions <CODE>latest()</CODE> and <CODE>earliest()</CODE>.<BR /> Running this search:</P> <PRE><CODE>index=myindex sourcetype=mysourcetype | stats first(myfield) latest(myfield) earliest(myfield) last(myfield) by sourcetype </CODE></PRE> <P>Gives us</P> <PRE><CODE> first(myfield) latest(myfield) earliest(myfield) last(myfield) 1434767753.755 1434767758.840 1383228859.223 1383228859.223 </CODE></PRE> <P>It is, from my point of view, normal to have the same value returned by <CODE>earliest()</CODE> and <CODE>last()</CODE>, as we did not change the order of the events. I am surprised to receive different values for <CODE>first()</CODE> and <CODE>latest()</CODE>.</P> <P>If we run:</P> <PRE><CODE>index=myindex sourcetype=mysourcetype | head 1 | table myfield </CODE></PRE> <P>We get:</P> <PRE><CODE>myfield 1434767758.840 </CODE></PRE> <P>The value returned by <CODE>latest()</CODE> seems to be correct. What is returned by <CODE>first()</CODE>?</P> <P>Regards</P> <P>PS - We are running on Splunk Enterprise 6.2.3</P> Sat, 20 Jun 2015 22:01:11 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-stats-functions-first-and-latest-not-returning-the-same/m-p/472155#M132849 afieffe 2015-06-20T22:01:11Z Re: Why are stats functions first() and latest() not returning the same result? https://community.splunk.com/t5/Splunk-Search/Why-are-stats-functions-first-and-latest-not-returning-the-same/m-p/472156#M132850 <P><CODE>first()</CODE> gives you the value first seen by the reporting command, with no regard for the timestamp. Depending on what's returned first to the search head from the indexers this may or may not match with <CODE>latest()</CODE>.</P> Sun, 21 Jun 2015 08:37:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-stats-functions-first-and-latest-not-returning-the-same/m-p/472156#M132850 martin_mueller 2015-06-21T08:37:14Z