I am a little bit confused by the functions latest() and earliest() .
Running this search:
index=myindex sourcetype=mysourcetype | stats first(myfield) latest(myfield) earliest(myfield) last(myfield) by sourcetype
first(myfield) latest(myfield) earliest(myfield) last(myfield)
1434767753.755 1434767758.840 1383228859.223 1383228859.223
It is, from my point of view, normal to have the same value returned by earliest() and last() , as we did not change the order of the events. I am surprised to receive different values for first() and latest() .
If we run:
index=myindex sourcetype=mysourcetype | head 1 | table myfield
The value returned by latest() seems to be correct. What is returned by first() ?
PS - We are running on Splunk Enterprise 6.2.3
... View more