Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

why stats last and first are inverted ?

mataharry
Communicator
‎03-12-2012 06:35 PM

When I search with stats first(myfield) last(myfield)
They return the opposite !!!!

example :
10/10/2010 myfield=A
12/12/2012 myfield=B

  • | stats first(myfield) last(myfield) returns first=B, last=A
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2012 06:36 PM

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

View solution in original post

Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎11-01-2013 10:15 AM

Hi,

does it make a difference, how the events are sorted? So, is "last seen" independent of the order of the events and does always mean "the earliest timestamp"?

Thanks in advance

Heinz

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎11-04-2013 10:19 AM

Yes it matters how events are sorted for the first and last functions. However, the sort order does not matter for the earliest and latest functions, as they are based on the event timestamp.

Reply
Solved! Jump to solution

willthames2
Path Finder
‎03-12-2012 06:57 PM

Note that

  • earliest
  • latest

also exist which have the meanings that you seem to be looking for from first and last.

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎03-12-2012 06:36 PM

Splunk starts to search events at the current time, and progressively search backward in the past.

  • first() returns the first seen result -> the most recent reference
  • last() returns the last seen result - > the oldest reference

Please read the documentation with attention :
http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonStatsFunctions

Reply
Solved! Jump to solution

jperezes
Path Finder
‎04-05-2016 06:23 AM

Hi, I have then a situation that is confusing me.
I use last to store the first occurrence of an event, then I store that in a lookup file.
Next thing I do is to do a sub search for the last 24h get the first occurrence and append that to the lookup file.
at that point I need to remove duplicates and keep only the very last in the lookup file.

Does that convention also works when you are not looking up at the stored data events but in a lookup file???

Thanks in advance,

Rgds,
Juan

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎03-12-2012 09:46 PM

Splunk is a reverse time-series index, so while it might be confusing, it is techically correct. The results of a Splunk search are ordered by default from most recent to least recent.

0 Karma
Reply
Solved! Jump to solution

mataharry
Communicator
‎03-12-2012 06:37 PM

This is so crazy, why using so confusing names !

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...