https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689618#M234980 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268682">@OriP</a>&nbsp;</P><P>Pls try something similar from this post -&nbsp;</P><P><A href="https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-streamstats-command-after-tstats-and-stats/m-p/388189" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-streamstats-command-after-tstats-and-stats/m-p/388189</A></P><P>&nbsp;</P> Tue, 04 Jun 2024 23:39:42 GMT inventsekar 2024-06-04T23:39:42Z https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689615#M234978 <P>Trying to understand what is the time field after tstats.</P> <P>We have the _time field for every event, thats how tstats finds latest event, but what is the latest for a stats that comes after tstats?</P> <P>for example</P> <LI-CODE lang="markup">| tstats latest(var1) as var1 by var2 var3 | eval var4 = ……….. | stats latest(var4) by var3</LI-CODE> Tue, 04 Jun 2024 22:29:02 GMT https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689615#M234978 OriP 2024-06-04T22:29:02Z https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689618#M234980 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/268682">@OriP</a>&nbsp;</P><P>Pls try something similar from this post -&nbsp;</P><P><A href="https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-streamstats-command-after-tstats-and-stats/m-p/388189" target="_blank">https://community.splunk.com/t5/Splunk-Search/How-do-you-use-the-streamstats-command-after-tstats-and-stats/m-p/388189</A></P><P>&nbsp;</P> Tue, 04 Jun 2024 23:39:42 GMT https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689618#M234980 inventsekar 2024-06-04T23:39:42Z https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689621#M234981 <P>There is no _time field after a tstats, so you either have to split by _time or add something like</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats max(_time) as _time...</LI-CODE><P>&nbsp;</P><P>but it depends on what you're trying to achieve as to what you need to do</P><P>You can also use</P><LI-CODE lang="markup">| tstats latest_time(var1) as _time...</LI-CODE><P>which will give you the latest _time the var1 variable was seen</P> Wed, 05 Jun 2024 00:36:02 GMT https://community.splunk.com/t5/Splunk-Search/what-is-the-time-field-for-latest-after-tstats/m-p/689621#M234981 bowesmana 2024-06-05T00:36:02Z