What is the difference between min() max() and ear...

edefIo1937 · ‎10-07-2022

If i only want to use the field "_time" of a log to get first and latest occurrence of an event, which commands should i use and why ?

ex:
...
| stats earliest(_time) as firsttime latest(_time) as lasttime

...

or
...

| stats min(_time) as firsttime max(_time) as lasttime

...

Is there a case where i could get differents results ?

jordan_art · ‎10-11-2022

what does Splunk recommend ?

gcusello · ‎10-11-2022

Hi @jordan_art,

there isn't a best practice, you can use both of them with the same results.

Ciao.

Giuseppe

gcusello · ‎10-07-2022

Hi @edefIo1937,

_time is a timestamp in epochtime format, in other words a progressive number, so it's the same thing.

I usually use earliest and latest.

Ciao.

Giuseppe

yuanliu · ‎10-07-2022

Whereas there is no numeric difference, I am also curious as to which one is faster. I usually go with min/max with the following reasoning:

min/max are purely mathematical after all values become available.
earliest(_time)/latest(_time), on the other hand, require two operations, one to compare time stamps on events, one to return value of _time.

The second argument, of course, is flawed. It should depend on implementation of index and search. Any Splunk insider to shed light on this?

What is the difference between min() max() and earliest() latest() for _time manipulations?

fields

other

stats

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!