Solved: Re: Difference between last(X) and latest(X)

strive · ‎09-10-2013

Hi,

What is the difference between last(X) and latest(X) functions for stats. I tried both in searches and i get same output. The difference is not quite clear in splunk documentation http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

I would like to know the exact difference between these two functions.

Thanks

Strive

dart · ‎09-10-2013

You see the same output likely because you are looking at results in default time order.

This search (for me, on the tutorial sample data) gives me four different values:

sourcetype="access_combined_wcookie" | sort time_taken | stats first(c_ip) latest(c_ip) last(c_ip) earliest(c_ip)

first and last are by 'data order', earliest and latest are by 'time order'.

dart · ‎09-10-2013

You see the same output likely because you are looking at results in default time order.

This search (for me, on the tutorial sample data) gives me four different values:

sourcetype="access_combined_wcookie" | sort time_taken | stats first(c_ip) latest(c_ip) last(c_ip) earliest(c_ip)

first and last are by 'data order', earliest and latest are by 'time order'.

strive · ‎09-10-2013

You are right. Thanks a lot.

Difference between last(X) and latest(X)