Event order functions
Use the event order functions to return events in chronological or timestamp order.
The following table lists the timestamps from a set of events returned from a search. This table identifies which event is returned when you use the event order functions: earliest, first, last, and latest.
| _time | Event order function | Description |
|---|---|---|
| 2018-04-28 00:15:05 | first | This event is the first event in the search results. But this event is not chronologically the earliest event. |
| 2018-05-01 00:15:04 | ||
| 2018-04-30 00:15:02 | ||
| 2018-04-28 00:15:01 | ||
| 2018-05-01 00:15:05 | latest | This event is chronologically the latest event in the search results. |
| 2018-04-27 00:15:01 | earliest
last |
This event is both the chronologically earliest event and the last event in the search results. |
See Overview of statistical and charting functions.
earliest(X)
Description
Returns the chronologically earliest seen occurrence of a value of a field X.
Usage
- This function processes field values as strings.
- You can use the
earliest(X)function with thechart,stats, andtimechartcommands.
Basic example
| This example uses the sample data from the Search Tutorial. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search. |
You run the following search to locate invalid user login attempts against a sshd (Secure Shell Daemon). You use the table command to see the values in the _time, source, and _raw fields.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw
The results appear on the Statistics tab and look something like this:
| _time | source | _raw |
|---|---|---|
| 2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
| 2018-05-01 00:15:04 | tutorialdata.zip:./www2/secure.log | Thu May 01 2018 00:15:04 www2 sshd[5258]: Failed password for invalid user brian from 130.253.37.97 port 4284 ssh2 |
| 2018-04-30 00:15:02 | tutorialdata.zip:./www3/secure.log | Wed Apr 30 2018 00:15:02 www3 sshd[5258]: Failed password for invalid user operator from 222.169.224.226 port 1711 ssh2 |
| 2018-04-28 00:15:01 | tutorialdata.zip:./www1/secure.log | Mon Apr 28 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user rightscale from 87.194.216.51 port 3361 ssh2 |
| 2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
| 2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
You extend the search using the earliest function.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw | stats earliest(_raw)
The search returns the event with the _time value 2018-04-27 00:15:01, which is the event with the oldest timestamp.
| _time | source | _raw |
|---|---|---|
| 2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
first(X)
Description
Returns the first seen value of the field X. In general, the first seen value of the field is the most recent instance of this field, relative to the input order of events into the stats command.
Usage
- To locate the first value based on time order, use the
earliestfunction instead. - Works best when the search includes the
sortcommand immediately before the statistics or charting command. - This function processes field values as strings.
- You can use the
first(X)function with thechart,stats, andtimechartcommands.
Basic example
| This example uses the sample data from the Search Tutorial. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search. |
You run the following search to locate invalid user login attempts against a specific sshd (Secure Shell Daemon). You use the table command to see the values in the _time, source, and _raw fields.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw
The results appear on the Statistics tab and look something like this:
| _time | source | _raw |
|---|---|---|
| 2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
| 2018-05-01 00:15:04 | tutorialdata.zip:./www2/secure.log | Thu May 01 2018 00:15:04 www2 sshd[5258]: Failed password for invalid user brian from 130.253.37.97 port 4284 ssh2 |
| 2018-04-30 00:15:02 | tutorialdata.zip:./www3/secure.log | Wed Apr 30 2018 00:15:02 www3 sshd[5258]: Failed password for invalid user operator from 222.169.224.226 port 1711 ssh2 |
| 2018-04-28 00:15:01 | tutorialdata.zip:./www1/secure.log | Mon Apr 28 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user rightscale from 87.194.216.51 port 3361 ssh2 |
| 2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
| 2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
You extend the search using the first function.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw | stats first(_raw)
The search returns the event with the _time value 2018-04-28 00:15:05, which is the first event in the list of values returned.
| _time | source | _raw |
|---|---|---|
| 2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
last(X)
Description
Returns the last seen value of the field X. In general, the last seen value of the field is the oldest instance of this field relative to the input order of events into the stats command.
Usage
- To locate the last value based on time order, use the
latestfunction instead. - Works best when the search includes the
sortcommand immediately before the statistics or charting command. - This function processes field values as strings.
You can use the last(X) function with the chart, stats, and timechart commands.
Basic example
The following example returns the first "log_level" value for each distinct "sourcetype".
| This example uses the sample data from the Search Tutorial. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search. |
You run the following search to locate invalid user login attempts against a specific sshd (Secure Shell Daemon). You use the table command to see the values in the _time, source, and _raw fields.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw
The results appear on the Statistics tab and look something like this:
| _time | source | _raw |
|---|---|---|
| 2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
| 2018-05-01 00:15:04 | tutorialdata.zip:./www2/secure.log | Thu May 01 2018 00:15:04 www2 sshd[5258]: Failed password for invalid user brian from 130.253.37.97 port 4284 ssh2 |
| 2018-04-30 00:15:02 | tutorialdata.zip:./www3/secure.log | Wed Apr 30 2018 00:15:02 www3 sshd[5258]: Failed password for invalid user operator from 222.169.224.226 port 1711 ssh2 |
| 2018-04-28 00:15:01 | tutorialdata.zip:./www1/secure.log | Mon Apr 28 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user rightscale from 87.194.216.51 port 3361 ssh2 |
| 2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
| 2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
You extend the search using the last function.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw | stats last(_raw)
The search returns the event with the _time value 2018-04-27 00:15:01, which is the last event in the list of events. However it is not the last chronological event.
| _time | source | _raw |
|---|---|---|
| 2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
latest(X)
Description
Returns the chronologically latest seen occurrence of a value of a field X.
Usage
This function processes field values as strings.
You can use the latest(X) function with the chart, stats, and timechart commands.
Basic example
| This example uses the sample data from the Search Tutorial. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. Use the time range All time when you run the search. |
You run the following search to locate invalid user login attempts against a specific sshd (Secure Shell Daemon). You use the table command to see the values in the _time, source, and _raw fields.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw
The results appear on the Statistics tab and look something like this:
| _time | source | _raw |
|---|---|---|
| 2018-04-28 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Mon Apr 28 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user tomcat from 67.170.226.218 port 1490 ssh2 |
| 2018-05-01 00:15:04 | tutorialdata.zip:./www2/secure.log | Thu May 01 2018 00:15:04 www2 sshd[5258]: Failed password for invalid user brian from 130.253.37.97 port 4284 ssh2 |
| 2018-04-30 00:15:02 | tutorialdata.zip:./www3/secure.log | Wed Apr 30 2018 00:15:02 www3 sshd[5258]: Failed password for invalid user operator from 222.169.224.226 port 1711 ssh2 |
| 2018-04-28 00:15:01 | tutorialdata.zip:./www1/secure.log | Mon Apr 28 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user rightscale from 87.194.216.51 port 3361 ssh2 |
| 2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
| 2018-04-27 00:15:01 | tutorialdata.zip:./www1/secure.log | Sun Apr 27 2018 00:15:01 www1 sshd[5258]: Failed password for invalid user redmine from 91.208.184.24 port 3587 ssh2 |
You extend the search using the latest function.
sourcetype=secure invalid user "sshd[5258]" | table _time source _raw | stats latest(_raw)
The search returns the event with the _time value 2018-05-01 00:15:05, which is the event with the most recent timestamp.
| _time | source | _raw |
|---|---|---|
| 2018-05-01 00:15:05 | tutorialdata.zip:./mailsv/secure.log | Thu May 01 2018 00:15:05 mailsv1 sshd[5258]: Failed password for invalid user testuser from 194.8.74.23 port 3626 ssh2 |
| Aggregate functions | Multivalue stats and chart functions |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Download manual
Feedback submitted, thanks!