Splunk Search

why stats last and first are inverted ?

mataharry
Communicator

When I search with stats first(myfield) last(myfield)
They return the opposite !!!!

example :
10/10/2010 myfield=A
12/12/2012 myfield=B

  • | stats first(myfield) last(myfield) returns first=B, last=A
Tags (2)
1 Solution

yannK
Splunk Employee
Splunk Employee

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

View solution in original post

HeinzWaescher
Motivator

Hi,

does it make a difference, how the events are sorted? So, is "last seen" independent of the order of the events and does always mean "the earliest timestamp"?

Thanks in advance

Heinz

0 Karma

lguinn2
Legend

Yes it matters how events are sorted for the first and last functions. However, the sort order does not matter for the earliest and latest functions, as they are based on the event timestamp.

willthames2
Path Finder

Note that

  • earliest
  • latest

also exist which have the meanings that you seem to be looking for from first and last.

yannK
Splunk Employee
Splunk Employee

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

jperezes
Path Finder

Hi, I have then a situation that is confusing me.
I use last to store the first occurrence of an event, then I store that in a lookup file.
Next thing I do is to do a sub search for the last 24h get the first occurrence and append that to the lookup file.
at that point I need to remove duplicates and keep only the very last in the lookup file.

Does that convention also works when you are not looking up at the stored data events but in a lookup file???

Thanks in advance,

Rgds,
Juan

0 Karma

araitz
Splunk Employee
Splunk Employee

Splunk is a reverse time-series index, so while it might be confusing, it is techically correct. The results of a Splunk search are ordered by default from most recent to least recent.

0 Karma

mataharry
Communicator

This is so crazy, why using so confusing names !

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...