Splunk Search

why stats last and first are inverted ?

mataharry
Communicator

When I search with stats first(myfield) last(myfield)
They return the opposite !!!!

example :
10/10/2010 myfield=A
12/12/2012 myfield=B

  • | stats first(myfield) last(myfield) returns first=B, last=A
Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

View solution in original post

HeinzWaescher
Motivator

Hi,

does it make a difference, how the events are sorted? So, is "last seen" independent of the order of the events and does always mean "the earliest timestamp"?

Thanks in advance

Heinz

0 Karma

lguinn2
Legend

Yes it matters how events are sorted for the first and last functions. However, the sort order does not matter for the earliest and latest functions, as they are based on the event timestamp.

willthames2
Path Finder

Note that

  • earliest
  • latest

also exist which have the meanings that you seem to be looking for from first and last.

yannK
Splunk Employee
Splunk Employee

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

jperezes
Path Finder

Hi, I have then a situation that is confusing me.
I use last to store the first occurrence of an event, then I store that in a lookup file.
Next thing I do is to do a sub search for the last 24h get the first occurrence and append that to the lookup file.
at that point I need to remove duplicates and keep only the very last in the lookup file.

Does that convention also works when you are not looking up at the stored data events but in a lookup file???

Thanks in advance,

Rgds,
Juan

0 Karma

araitz
Splunk Employee
Splunk Employee

Splunk is a reverse time-series index, so while it might be confusing, it is techically correct. The results of a Splunk search are ordered by default from most recent to least recent.

0 Karma

mataharry
Communicator

This is so crazy, why using so confusing names !

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...