Usage Of STATS Functions [first() , last() ,earliest(), latest()] In Splunk
Hi Guys!!!
Today we have come with a new interesting topic, some useful functions which we can use with stats command. Those are, first() , last() ,earliest(), latest(). So, let’s start,
To show the usage of these functions we will use the event set from the below query.[we have added this sample events in the index “info”]
index=info | table _time,_raw
Please, see the below image to see how the result of this query looks like.
Now, we will show you the usage of these functions on this event set. So, let’s start
first(x):
1. This function takes only one argument [eg: first(field_name)]
2. This function is used to retrieve the first seen value of a specified field.
Example:1
index=info |table _time,_raw | stats first(_raw)
Explanation:
We have used “| stats first(_raw)”, which is giving the first event from the event list. Or, in the other words you can say it’s giving the first seen value in the “_raw” field. [As, you can see in the above image]
If you will compare this with image 1 you will understand this value of “_raw” with the timestamp “2020-05-06 12:00:07” is the first event or value of “_raw” field. From the result set according to the order of events which is “Wed May 06 2020 12:00:07 Sneha is 18 years old” (irrespective of the timestamp) [As, you can see in the image].
last(x):
1. This function takes only one argument [eg: last(field_name)]
2. This function is used to retrieve the last seen value of a specified field.
Example:2
index=info | table _time,_raw | stats last(_raw)
Explanation:
We have used “| stats last(_raw)”, which is giving the last event or the bottom event from the event list. Or, in the other words you can say it’s giving the last value in the “_raw” field.[As, you can see in the above image]
If you will compare this with image 1 you will understand this value of “_raw” with the timestamp “2020-04-08 11:34:23” is the last event or the value in the “_raw” field. From the result set according to the order of events which is “Wed April 08 2020 11:34:23 Saheb is 15 years old.” (Irrespective of the timestamp) [As, you can see in the image].
earliest(x):
1. This function takes only one argument [eg: earliest(field_name)]
2. This function is used to retrieve the event with the oldest timestamp
(chronologically earliest event).
NOTE: Chronological order defines ordering events in accordance with
the time sequence.
Example:3
index=info | table _time,_raw | stats earliest(_raw)
Explanation:
Now, we have used “| stats earliest(_raw)”, which is the giving the event(the value of “_raw” field) which has the oldest timestamp (chronologically earliest)[As, you can see in the image].
If you will check the image 1, you can see the oldest timestamp value in “_time” field is “2020-04-08 11:34:23” and using “| stats earliest(_raw)” function we are getting the value of “_raw ” field associated with that time which is “Wed April 08 2020 11:34:23 Saheb is 15 years old.”[As, you can see in the above image].
latest(x):
1. This function takes only one argument [eg: latest(field_name)]
2. This function is used to retrieve the event which has most recent
timestamp (chronologically latest event).
Example: 4
index=info | table _time,_raw | stats latest(_raw)
Explanation:
Now, we have used “| stats latest(_raw)”, which is the giving the event (the value of “_raw” field)which has the most recent timestamp(chronologically latest) [As, you can see in the image].
If you will check the image 1, you can see the most recent timestamp value in “_time” field is “2020-05-06 12:00:07” and using “| stats latest(_raw)” function we are getting the value of “_raw” field associated with that time which is “Wed May 06 2020 12:00:07 Sneha is 18 years old”.[As, you can see in the above image]
Hope you have understood the usage of first(), last(), earliest() and latest() with stats command clearly.
Happy Splunking !!!
