https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671085#M229991 <P>That's actually a good (and working) idea! Thank you very much! I don't know why latest didn't work either cause technically it should just check with the time and return the whole thing, right?<BR /><BR />But yes, it works now, thank you very much!</P><P>&nbsp;</P> Wed, 06 Dec 2023 21:38:45 GMT MirrorCraze 2023-12-06T21:38:45Z https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671081#M229987 <P>I have some search before, and after I extract fields (name, status) from json and mvzip it together, I got this table</P><P>&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="40px">_time</TD><TD width="33.333333333333336%" height="40px">name</TD><TD width="16.666666666666668%" height="40px">status</TD><TD width="16.666666666666668%" height="40px">nameStatus</TD></TR><TR><TD width="33.333333333333336%" height="113px"><SPAN>2023-12-06 16:06:20</SPAN></TD><TD width="33.333333333333336%" height="113px"><P>A</P><P>B</P><P>C</P></TD><TD width="16.666666666666668%" height="113px"><P>UP</P><P>DOWN</P><P>UP</P></TD><TD width="16.666666666666668%" height="113px"><P>A,UP</P><P>B,DOWN</P><P>C,UP</P></TD></TR><TR><TD width="33.333333333333336%" height="113px"><SPAN>2023-12-06 16:03:20</SPAN></TD><TD width="33.333333333333336%" height="113px"><P>A</P><P>B</P><P>C</P></TD><TD width="16.666666666666668%" height="113px"><P>UP</P><P>UP</P><P>UP</P></TD><TD width="16.666666666666668%" height="113px"><P>A,UP</P><P>B,UP</P><P>C,UP</P></TD></TR><TR><TD width="33.333333333333336%" height="113px"><SPAN>2023-12-06 16:00:20</SPAN></TD><TD width="33.333333333333336%" height="113px"><P>A</P><P>B</P><P>C</P></TD><TD width="16.666666666666668%" height="113px"><P>DOWN&nbsp;</P><P>UP</P><P>UP</P></TD><TD width="16.666666666666668%" height="113px"><P>A,DOWN</P><P>B,UP</P><P>C,UP</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I want to get only the latest time of the records, so I pipe in the command&nbsp; ...|stats latest(nameStatus). However, the result comes out only as</P><P>A,UP</P><P>&nbsp;</P><P>How can I fix this? Thank you!</P> Wed, 06 Dec 2023 21:15:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671081#M229987 MirrorCraze 2023-12-06T21:15:23Z https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671083#M229989 <P>That's interesting and seems as thought it may be a bug, but it may be that it's always worked that way.</P><P>The solution is to mvjoin the data so it's single value then split it afterwards, e.g.</P><LI-CODE lang="markup">... | eval nameStatus=mvjoin(nameStatus,"##") | stats latest(nameStatus) as nameStatus | eval nameStatus=split(nameStatus, "##")</LI-CODE> Wed, 06 Dec 2023 21:27:54 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671083#M229989 bowesmana 2023-12-06T21:27:54Z https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671085#M229991 <P>That's actually a good (and working) idea! Thank you very much! I don't know why latest didn't work either cause technically it should just check with the time and return the whole thing, right?<BR /><BR />But yes, it works now, thank you very much!</P><P>&nbsp;</P> Wed, 06 Dec 2023 21:38:45 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671085#M229991 MirrorCraze 2023-12-06T21:38:45Z https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671088#M229994 <P>I agree, that you would expect it to return the entire MV field, not just the first value.</P><P>I suspect this may be a bug that has existed forever, but one which has a workaround.</P><P>If you have a support entitlement with Splunk, you could raise that as a bug and see what they say</P><P>This is a simple working example from your data that exhibits the problem</P><LI-CODE lang="markup">| makeresults format=csv data="_time,name,status,nameStatus 2023-12-06 16:06:20,A:B:C,UP:DOWN:UP,A;UP:B;DOWN:C;UP 2023-12-06 16:03:20,A:B:C,UP:UP:UP,A;UP:B;UP:C;UP 2023-12-06 16:00:20,A:B:C,DOWN:UP:UP,A;DOWN:B;UP:C;UP" | foreach * [ eval &lt;&lt;FIELD&gt;&gt;=split(&lt;&lt;FIELD&gt;&gt;, ":") ] ```| eval nameStatus=mvjoin(nameStatus,"##")``` | stats latest(nameStatus) as nameStatus ```| eval nameStatus=split(nameStatus, "##")```</LI-CODE> Wed, 06 Dec 2023 21:43:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671088#M229994 bowesmana 2023-12-06T21:43:37Z https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671119#M230005 <P>We talked about it with <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a> on Slack and it seems the behaviour is intentional and is docummented (albeit a bit vaguely) - "Use the event order functions to return values from fields based on the order in which the event is processed, which is not necessarily chronological or timestamp order. " (from <A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventorderfunctions" target="_self">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventorderfunctions</A> )</P> Thu, 07 Dec 2023 08:05:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-latest-does-not-work-with-multivalues-properly/m-p/671119#M230005 PickleRick 2023-12-07T08:05:18Z