Solved: Last vs Max in Timestamp

lucas4394 · ‎12-06-2019

I wonder what the difference between last and max in timestamp if I want to return the most recent time from a lookup. Both of them return the same result as showed below. Any comments?

| makeresults 
| eval last_seen=strptime("05/06/2019 5:43:32","%m/%d/%Y %H:%M:%S") 
| append 
    [| makeresults 
    | eval last_seen=strptime("05/06/2019 16:12:00","%m/%d/%Y %H:%M:%S")] 
| stats max(last_seen) as max_last_seen last(last_seen) as first_last_seen 
| eval max_last_seen=strftime(max_last_seen, "%m/%d/%Y %H:%M:%S"), first_last_seen=strftime(first_last_seen, "%m/%d/%Y %H:%M:%S")

woodcock · ‎12-06-2019

Using max(_time) is far more efficient than using latest(_time) because it does less work. One should ALWAYS use max(_time) over latest(_time).

View solution in original post

woodcock · ‎12-06-2019

Using max(_time) is far more efficient than using latest(_time) because it does less work. One should ALWAYS use max(_time) over latest(_time).

woodcock · ‎12-06-2019

Furthermore, if you are POSITIVE that you results will ALWAYS be sorted (keep in mind that in low-RAM situations, sometimes events are not returned fully sorted), you can use first(_time) which is the fastest and most-efficient of them all.

Last vs Max in Timestamp

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Last vs Max in Timestamp

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR