Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why stats last and first are inverted ?

mataharry
Communicator
‎03-12-2012 06:35 PM

When I search with stats first(myfield) last(myfield)
They return the opposite !!!!

example :
10/10/2010 myfield=A
12/12/2012 myfield=B

  • | stats first(myfield) last(myfield) returns first=B, last=A
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2012 06:36 PM

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

View solution in original post

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎11-01-2013 10:15 AM

Hi,

does it make a difference, how the events are sorted? So, is "last seen" independent of the order of the events and does always mean "the earliest timestamp"?

Thanks in advance

Heinz

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-04-2013 10:19 AM

Yes it matters how events are sorted for the first and last functions. However, the sort order does not matter for the earliest and latest functions, as they are based on the event timestamp.

Reply
Solved! Jump to solution

willthames2
Path Finder
‎03-12-2012 06:57 PM

Note that

  • earliest
  • latest

also exist which have the meanings that you seem to be looking for from first and last.

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2012 06:36 PM

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

Reply
Solved! Jump to solution

jperezes
Path Finder
‎04-05-2016 06:23 AM

Hi, I have then a situation that is confusing me.
I use last to store the first occurrence of an event, then I store that in a lookup file.
Next thing I do is to do a sub search for the last 24h get the first occurrence and append that to the lookup file.
at that point I need to remove duplicates and keep only the very last in the lookup file.

Does that convention also works when you are not looking up at the stored data events but in a lookup file???

Thanks in advance,

Rgds,
Juan

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎03-12-2012 09:46 PM

Splunk is a reverse time-series index, so while it might be confusing, it is techically correct. The results of a Splunk search are ordered by default from most recent to least recent.

0 Karma
Reply
Solved! Jump to solution

mataharry
Communicator
‎03-12-2012 06:37 PM

This is so crazy, why using so confusing names !

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...