Solved: What are the correct stats functions to use to get...

splunker12er · ‎07-04-2015

What is the correct stats function to use to get the last event for a host in a specified time range? first(_raw) or latest(_raw)?

Similarly, to get the first event for a host, what is the correct function to use? last(_raw) or earliest(_raw)?

Please advise..
Thanks..

martin_mueller · ‎07-04-2015

If you're looking for the "most old" and "most young" events, use latest() and earliest().

If you're looking for "event zero" and "event n-1" from an ordered list of n events, use first() and last().

mdessus_splunk · ‎07-04-2015

Does head and tail would match your needs ( mysearchcriteria host=xxx | head 1 for ex.) ?

martin_mueller · ‎07-04-2015

If you're looking for the "most old" and "most young" events, use latest() and earliest().

If you're looking for "event zero" and "event n-1" from an ordered list of n events, use first() and last().

What are the correct stats functions to use to get the first and last event for a host in a specified time range?