Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF

Event order functions

Use the event order functions to return events in chronological or timestamp order.

See Overview of statistical and charting functions.

earliest(X)

Description

Returns the chronologically earliest seen occurrence of a value of a field X.

Usage

  • This function processes field values as strings.
  • You can use the earliest(X) function with the chart, stats, and timechart commands.

Basic examples

The following example returns the earliest "log_level" value for each distinct "sourcetype".

index=_internal |stats earliest(log_level) by sourcetype


first(X)

Description

Returns the first seen value of the field X. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.

Usage

  • To locate the first value based on time order, use the earliest function instead.
  • Works best when the search includes the sort command immediately before the statistics or charting command.
  • This function processes field values as strings.
  • You can use the first(X) function with the chart, stats, and timechart commands.

Basic examples

The following example returns the first "log_level" value for each distinct "sourcetype".

index=_internal |stats first(log_level) by sourcetype


last(X)

Description

Returns the last seen value of the field X. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.

Usage

  • To locate the last value based on time order, use the latest function instead.
  • Works best when the search includes the sort command immediately before the statistics or charting command.
  • This function processes field values as strings.

You can use the last(X) function with the chart, stats, and timechart commands.

Basic examples

The following example returns the last "log_level" value for each distinct "sourcetype".

index=_internal |stats last(log_level) by sourcetype


latest(X)

Description

Returns the chronologically latest seen occurrence of a value of a field X.

Usage

This function processes field values as strings.

You can use the latest(X) function with the chart, stats, and timechart commands.

Basic examples

The following example returns the latest "log_level" value for each distinct "sourcetype".

index=_internal |stats latest(log_level) by sourcetype

PREVIOUS
Aggregate functions
  NEXT
Multivalue stats and chart functions

This documentation applies to the following versions of Splunk Cloud: 6.6.0, 6.6.1, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters