That's actually a good (and working) idea! Thank you very much! I don't know why latest didn't work either cause technically it should just check with the time and return the whole thing, right?

But yes, it works now, thank you very much!

We talked about it with @bowesmana on Slack and it seems the behaviour is intentional and is docummented (albeit a bit vaguely) - "Use the event order functions to return values from fields based on the order in which the event is processed, which is not necessarily chronological or timestamp order. " (from https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Eventorderfunctions )

I agree, that you would expect it to return the entire MV field, not just the first value.

I suspect this may be a bug that has existed forever, but one which has a workaround.

If you have a support entitlement with Splunk, you could raise that as a bug and see what they say

This is a simple working example from your data that exhibits the problem

| makeresults format=csv data="_time,name,status,nameStatus
2023-12-06 16:06:20,A:B:C,UP:DOWN:UP,A;UP:B;DOWN:C;UP
2023-12-06 16:03:20,A:B:C,UP:UP:UP,A;UP:B;UP:C;UP
2023-12-06 16:00:20,A:B:C,DOWN:UP:UP,A;DOWN:B;UP:C;UP"
| foreach * [ eval <<FIELD>>=split(<<FIELD>>, ":") ]
```| eval nameStatus=mvjoin(nameStatus,"##")```
| stats latest(nameStatus) as nameStatus
```| eval nameStatus=split(nameStatus, "##")```