My search returns a table of a count of ip addresses that have hit our system in a given search period. I am trying to determine what the earliest time and most recent time was for each ip address. index=myIndex  host=mySrvr sourcetype=mysource | stats count by s_ipad, r_ip_country,  |Fields s_ipad, r_ip_country. min(_time),max(_time) count | search count>=15 |sort -count The table of data returns the top 15 ip address and country of origin, however the min(_time) and max(_time) are empty. Any help would be appreciated. Thanks. ... View more