Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

latest function in stats not working without earliest?

vbumgarn
Path Finder
‎03-05-2012 08:11 PM

Given the events:

2012-03-06 01:02:00 a=1 b=2
2012-03-06 02:03:00 a=2 b=3

and the query:

* | stats count latest(a) by b

latest(a) is empty. However, if you add earliest(a) to the query, like so:

* | stats count latest(a) earliest(a) by b

then both latest(a) and earliest(a) are populated. earliest also works by itself.

Any idea why latest won't work by itself?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎04-11-2012 10:13 AM

I filed this as SPL-50131 and I will do my best to update as I have more information.

In the meantime, use the workaround here:

http://splunk-base.splunk.com/answers/45268/stats-latest-not-returning-a-value/45276

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎04-11-2012 10:13 AM

I filed this as SPL-50131 and I will do my best to update as I have more information.

In the meantime, use the workaround here:

http://splunk-base.splunk.com/answers/45268/stats-latest-not-returning-a-value/45276

Reply
Solved! Jump to solution

caseypike
Path Finder
‎04-11-2014 03:24 PM

I am having the same problem in 6.0.1. Sometimes the latest result is returned, sometimes it is blank.

0 Karma
Reply
Solved! Jump to solution

shreyans
Path Finder
‎07-12-2015 11:56 PM

Hi,

See that stats command need _time field to get latest so if you have query like
index=xyz | tabel t1, t2,t3 | stats latest(t1) by t2,t3

then you will see blank for latest(t1) column

change query like
index=xyz | tabel t1, t2, t3,_time | stats latest(t1) by t2,t3 | fields - _time
OR
index=xyz | stats latest(t1) by t2,t3

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎03-26-2013 01:47 PM

According to SPL-50131 this was fixed in 4.3.3 and also should be fixed in 5.0.0 through 5.0.2. If this isn't the case, please file a support ticket so we can get the required information from you.

0 Karma
Reply
Solved! Jump to solution

srowe
Explorer
‎03-26-2013 01:43 PM

Is this supposed to be fixed in 5.0.1? We are having the same issue...what is the workaround?

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎05-06-2012 09:49 AM

It was always to late for 4.3.2, so I would hope 4.3.3.

0 Karma
Reply
Solved! Jump to solution

vbumgarn
Path Finder
‎05-04-2012 12:28 PM

Still broken in 4.3.2. Any idea on when a fix will be in?

0 Karma
Reply
Solved! Jump to solution

bmgilmore
Path Finder
‎04-02-2012 01:59 PM

nice catch. I'd been having the hardest time figuring out why latest only worked sometimes, I just started to use first. Seems like a bug to me!

0 Karma
Reply
Solved! Jump to solution

rmonge
New Member
‎03-26-2012 02:16 PM

Thanks for posting this question. I was frustrated about last() working but then latest() had no results. I added earliest() and for some reason latest() worked. It looks like a bug to me.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...