In my years of Splunking I recall that you could not rely on events arriving in synchronous order 100% of the time. Rather, you will get them as the Search Head receives them based on how fast or slow the indexers are. This, in turn, means that you can't rely on first() or last() on giving you the earliest or latest value of a field. You'll only see this happen once in a blue moon, but it can happen. The problem is I can't find the original documentation that stated this issue.
My friend, on the other hand, says that the search head sorts events so that you always get them in reverse chronological order because he's never seen the opposite happen.
Who's right?
... View more