https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380622#M170463 <P>You would want latest too because max over a large time period may not be what you're expecting</P> Mon, 08 Jul 2019 13:17:36 GMT jkat54 2019-07-08T13:17:36Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380617#M170458 <P>hello</P> <P>The max function in this search doesnt works. Idem with latest!<BR /> Its not the latest or max event taked into account but the min or the oldest!<BR /> what is the problem please??</P> <PRE><CODE>index=x sourcetype=wireless_client_val | eval LAST_SEEN=strptime(LAST_SEEN, "%Y-%m-%d %H:%M:%S.%1N") | eval diff_seconds=now()-LAST_SEEN | where diff_seconds&gt;(60*60*24*5) | search [ inputlookup host.csv | table host | rename host as USERNAME] | lookup lookup_cmdb_fo_all.csv HOSTNAME as USERNAME output SITE | search SITE="*" | eval LAST_SEEN_DAYS=round((now()-LAST_SEEN)/60/60/24,1) | stats values(SITE) as SITE, max(LAST_SEEN_DAYS) as Days_of_last_seen by USERNAME | sort -Days_of_last_seen </CODE></PRE> Mon, 08 Jul 2019 11:41:43 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380617#M170458 jip31 2019-07-08T11:41:43Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380618#M170459 <P>Can you perhaps share some data going into the stats command (a table with a number of rows with at least these fields: _time, LAST_SEEN_DAYS,username) and data coming out and how that is different from what you expect?</P> <P>I cannot imagine <CODE>max(LAST_SEEN_DAYS)</CODE> returning the events with <CODE>min(LAST_SEEN_DAYS)</CODE> instead. Same for <CODE>latest()</CODE>, unless you have been messing with the _time field (which doesn't seem to be the case from the search you are sharing), that should also behave as expected.</P> Wed, 30 Sep 2020 01:15:56 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380618#M170459 FrankVl 2020-09-30T01:15:56Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380619#M170460 <P>Hi<BR /> What I want to say is that the events returned by my stats command correspond to the difference between now() and the oldest LAST_SEEN events instead the latest<BR /> Example:<BR /> For example, for the first event returned by the search, the latest _time field value is 08/0719 13:29 and the oldest _time field value is 01/07/19 17:59<BR /> So normally,LAST_SEEN_DAYS for this USERNAME hast to be now() - 08/0719 13:29 so 0,1 days<BR /> But instead this I have 7 days so it means now() - 01/07/19 17:59<BR /> Very strange</P> Wed, 30 Sep 2020 01:15:32 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380619#M170460 jip31 2020-09-30T01:15:32Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380620#M170461 <P>If you replace <CODE>max(LAST_SEEN_DAYS)</CODE> with <CODE>values(LAST_SEEN_DAYS)</CODE> you'll see all the LAST_SEEN_DAYS values for each host. You may see something like <CODE>1,7</CODE>. The MAX of those values is 7, which is what you are getting.</P> Wed, 30 Sep 2020 01:15:35 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380620#M170461 richgalloway 2020-09-30T01:15:35Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380621#M170462 <P>yes but like I said previously if my last or my max events _time is 08/0719 13:29 , I need to have 0,1 days displayed instead 7 days<BR /> my issue is on the LAST_SEEN_DAYS calculation<BR /> and when I use max or latest, normally it the last event that is taken into account<BR /> and for me no</P> Wed, 30 Sep 2020 01:15:37 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380621#M170462 jip31 2020-09-30T01:15:37Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380622#M170463 <P>You would want latest too because max over a large time period may not be what you're expecting</P> Mon, 08 Jul 2019 13:17:36 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380622#M170463 jkat54 2019-07-08T13:17:36Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380623#M170464 <P>I don't completely follow, but it sounds like you may want to do a <CODE>| stats values(SITE) as SITE latest(LAST_SEEN) as LAST_SEEN by USERNAME</CODE> before doing any of the calculations instead of doing that stats at the end.</P> Mon, 08 Jul 2019 13:25:41 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380623#M170464 FrankVl 2019-07-08T13:25:41Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380624#M170465 <P>Sorry I dont understand</P> Mon, 08 Jul 2019 13:34:14 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380624#M170465 jip31 2019-07-08T13:34:14Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380625#M170466 <P>Something like this (I also moved the subsearch into the main search instead of a separate search command):</P> <PRE><CODE>index=x sourcetype=wireless_client_val [ inputlookup host.csv | table host | rename host as USERNAME] | lookup lookup_cmdb_fo_all.csv HOSTNAME as USERNAME output SITE | search SITE="*" | eval LAST_SEEN=strptime(LAST_SEEN, "%Y-%m-%d %H:%M:%S.%1N") | stats values(SITE) as SITE, latest(LAST_SEEN) as LAST_SEEN by USERNAME | eval diff_seconds=now()-LAST_SEEN | where diff_seconds&gt;(60*60*24*5) | eval LAST_SEEN_DAYS=round((now()-LAST_SEEN)/60/60/24,1) | sort -Days_of_last_seen </CODE></PRE> Mon, 08 Jul 2019 13:55:27 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380625#M170466 FrankVl 2019-07-08T13:55:27Z https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380626#M170467 <P>Oh now it seems to be correct!<BR /> I just dont clearly well why we have to put the eval after the stats</P> Mon, 08 Jul 2019 15:16:31 GMT https://community.splunk.com/t5/Splunk-Search/help-on-a-max-or-a-latest-function-which-doent-works/m-p/380626#M170467 jip31 2019-07-08T15:16:31Z