https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556079#M157899 <P>Yes, you can. &nbsp;If you want to use search command, rename your timestamp _time; else you will need to do calculations in where command.</P> Thu, 17 Jun 2021 03:08:25 GMT yuanliu 2021-06-17T03:08:25Z https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556078#M157898 <P class="lia-align-left">Hi folks, my dataset looks like this:</P><TABLE border="1" width="100.00000000000001%"><TBODY><TR><TD width="16.666666666666668%" height="25px">timestamp</TD><TD width="16.666666666666668%" height="25px">id</TD><TD width="33.333333333333336%" height="25px">userMail</TD><TD width="33.333333333333336%" height="25px">reason</TD></TR><TR><TD width="16.666666666666668%" height="25px">t1</TD><TD width="16.666666666666668%" height="25px">id1</TD><TD width="33.333333333333336%" height="25px">a@example.com</TD><TD width="33.333333333333336%" height="25px">test</TD></TR><TR><TD width="16.666666666666668%" height="25px">t2</TD><TD width="16.666666666666668%" height="25px">id1</TD><TD width="33.333333333333336%" height="25px">a@example.com</TD><TD width="33.333333333333336%" height="25px">test</TD></TR><TR><TD width="16.666666666666668%" height="25px">t3</TD><TD width="16.666666666666668%" height="25px">id1</TD><TD width="33.333333333333336%" height="25px">a@example.com</TD><TD width="33.333333333333336%" height="25px">&nbsp;test</TD></TR><TR><TD height="25px">t2</TD><TD height="25px">id2</TD><TD height="25px">b@example.com</TD><TD height="25px">testtest</TD></TR><TR><TD height="25px">t4</TD><TD height="25px">id2</TD><TD height="25px">b@example.com</TD><TD height="25px">ttt</TD></TR></TBODY></TABLE><P class="lia-align-left">&nbsp;</P><P class="lia-align-left">I want to group by id and userMail, then find the last (latest) record in each group. From the help document on latest/earliest function, it uses metadata field _time to find the latest row, how can I let latest function to use timestamp field in my case?&nbsp;<BR />I know I can use something like eval _time = timestamp to overwrite the _time field, but want to know if there are better ways to achieve.<BR /><BR />My second question is how to write the query, can i do in this way:<BR /><BR />| eval _time=timestamp/pow(10,3)<BR />| chart latest(*) by id, userEmail<BR /><BR />Thanks!</P> Thu, 17 Jun 2021 03:57:34 GMT https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556078#M157898 codewarrior 2021-06-17T03:57:34Z https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556079#M157899 <P>Yes, you can. &nbsp;If you want to use search command, rename your timestamp _time; else you will need to do calculations in where command.</P> Thu, 17 Jun 2021 03:08:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556079#M157899 yuanliu 2021-06-17T03:08:25Z https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556115#M157909 If needed you could add new field (or convert timestamp) for epoch time (time in seconds). Then just look min/max from this values and then add values(timestamp) as timestamp your query or convert that min/max value back to displayable format.<BR />r. Ismo Thu, 17 Jun 2021 06:40:37 GMT https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556115#M157909 isoutamo 2021-06-17T06:40:37Z https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556131#M157915 <BLOCKQUOTE><HR /><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/235510">@codewarrior</a>&nbsp;wrote:<P class="lia-align-left">My second question is how to write the query, can i do in this way:<BR /><BR />| eval _time=timestamp/pow(10,3)<BR />| chart latest(*) by id, userEmail</P><HR /></BLOCKQUOTE><P>Also yes. &nbsp;As soon as you redefine _time, it behaves as the original _time. (In some use cases, you want to first rename the original in order to save its value. &nbsp;But for the stats that you are using it with, that is not necessary.)</P> Thu, 17 Jun 2021 07:39:41 GMT https://community.splunk.com/t5/Splunk-Search/Can-earliest-latest-function-be-used-over-my-own-timestamp-field/m-p/556131#M157915 yuanliu 2021-06-17T07:39:41Z