If you want the most accurate (in terms of timestamp, not indexing-time), then you should use min(_time) . For example, use this query where you swap out the values for your base search and field name.
<YOUR_BASE_SEARCH> <YOUR_FIELD>=* | stats min(_time) as earliest by <YOUR_FIELD>
A faster way that relies on indexing-time, not the raw timestamp, is using earliest(_time) .
<YOUR_BASE_SEARCH> <YOUR_FIELD>=* | stats earliest(_time) as earliest by <YOUR_FIELD>
Usually these two will return the same values, but that is not guaranteed, e.g., events get stuck in a queue and get indexed some time later.
... View more