Usage OF Stats Function ( [first() , last() ,earliest(), latest()] In Splunk

Usage Of STATS Functions [first() , last() ,earliest(), latest()] In Splunk

Hi Guys!!!
Today we have come with a new interesting topic, some useful functions which we can use with stats command. Those are, first() , last() ,earliest(), latest(). So, let’s start,
To show the usage of these functions we will use the event set from the below query.[we have added this sample events in the index “info”]

index=info
| table _time,_raw

Please, see the below image to see how the result of this query looks like.

stats1
Now, we will show you the usage of these functions on this event set. So, let’s start

first(x):
1. This function takes only one argument [eg: first(field_name)]
2. This function is used to retrieve the first seen value of a specified field.

Example:1

index=info
|table _time,_raw
| stats first(_raw)

stats2

Explanation:
We have used “| stats first(_raw)”, which is giving the first event from the event list. Or, in the other words you can say it’s giving the first seen value in the “_raw” field. [As, you can see in the above image]

If you will compare this with image 1 you will understand this value of “_raw” with the timestamp “2020-05-06 12:00:07” is the first event or  value of “_raw” field. From the result set according to the order of events which is “Wed May 06 2020 12:00:07 Sneha is 18 years old” (irrespective of the timestamp) [As, you can see in the image].

last(x):
1. This function takes only one argument [eg: last(field_name)]
2. This function is used to retrieve the last seen value of a specified field.

Example:2

index=info
| table  _time,_raw
| stats last(_raw)

stats3

Explanation:
We have used “| stats last(_raw)”, which is giving the last event or the bottom event from the event list. Or, in the other words you can say it’s giving the last value in the “_raw” field.[As, you can see in the above  image]

If you will compare this with image 1 you will understand this value of “_raw” with the timestamp “2020-04-08 11:34:23” is the last event or the value in the “_raw” field. From the result set according to the order of events which is “Wed April 08 2020 11:34:23 Saheb is 15 years old.” (Irrespective of the timestamp) [As, you can see in the image].

earliest(x):
1. This function takes only one argument [eg: earliest(field_name)]
2. This function is used to retrieve the event with the oldest timestamp 
   (chronologically earliest event).
NOTE: Chronological order defines ordering events in accordance with 
      the time sequence.

Example:3

index=info
| table  _time,_raw
| stats earliest(_raw)

stats4

Explanation:
 Now, we have used “| stats earliest(_raw)”, which is the giving the event(the value of “_raw” field) which has the oldest timestamp (chronologically earliest)[As, you can see in the image].
If you will check the image 1, you can see the oldest timestamp value in “_time” field is “2020-04-08 11:34:23” and using “| stats earliest(_raw)” function we are getting the value of “_raw ” field associated with that time which is “Wed April 08 2020 11:34:23 Saheb is 15 years old.”[As, you can see in the above image].

latest(x):
1. This function takes only one argument [eg: latest(field_name)]
2. This function is used to retrieve the event which has most recent 
   timestamp (chronologically latest event).

Example: 4 

index=info
| table  _time,_raw
| stats latest(_raw)

stats5

Explanation:
Now, we have used “| stats latest(_raw)”, which is the giving the event (the value of “_raw” field)which has the most recent timestamp(chronologically latest) [As, you can see in the image].
If you will check the image 1, you can see the most recent timestamp value in “_time” field is “2020-05-06 12:00:07” and using “| stats latest(_raw)” function we are getting the value of “_raw” field associated with that time which is “Wed May 06 2020 12:00:07 Sneha is 18 years old”.[As, you can see in the above image]

Hope you have understood the usage of first(), last(), earliest() and latest() with stats command clearly.

You can also know about :  Interactive Field Extractor( IFX )in Splunk

Happy Splunking !!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.