Skip to main content
Sumo Logic

most_recent and least_recent

The most_recent and least_recent operators, used with the withtime operator, are aggregate operators that allow you to select the most recent or least recent value within a group.

Using withtime forces log messages to be put in perfect order, which then allows you to add queries that contain the first or last operator. It creates a field named xxx_withtimewithtime that will appear as part of your search results.

Syntax

  • * | parse ... as status | withtime status | most_recent(status_withtime) by _sourcehost
  • * | parse ... as status | withtime status | least_recent(status_withtime) by _sourcehost

Examples

Find the most recent visitors to our site by IP.

Say we’d like to keep an eye on visitors that hit our site from different countries. This query will provide the most recent IP addresses based on the logline message time:

*ip* OR *address*
| parse regex "(?<IP>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup latitude, longitude, country_code from geo://default on ip=IP 
| where !isNull(country_code) 
| withtime IP 
| most_recent(ip_withtime) by country_code 

produces results like:

mostRecent_IPs.png