---
id: most-recent-least-recent
title: most_recent, least_recent Grouping Operators
sidebar_label: most_recent, least_recent
slug: /help/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent/
canonical: https://www.sumologic.com/help/docs/search/search-query-language/group-aggregate-operators/most-recent-least-recent/
---

import useBaseUrl from '@docusaurus/useBaseUrl';

The `most_recent` and `least_recent` operators, used with the `withtime` operator, are aggregate operators that allow you to select the most recent or least recent value within a group.

The `withtime` operator is given a field and creates a JSON object with the field's value and its timestamp in milliseconds. A field is created with the format `x_withtime` that appears as part of your search results. Then the `most_recent` and `least_recent` operators are used to order your data referencing the `x_withtime` field.

The `withtime`, `most_recent`, and `least_recent` operators are not considered standalone operators; they are designed to only be used as an alternative to the [`first` and `last` operators](/docs/search/search-query-language/group-aggregate-operators/first-last) in auto refresh dashboards or any continuous query where first and last are not supported.

## Syntax

The field `status` is used in the following syntax expressions to represent any field.

`| parse ... as status | withtime status | most_recent(status_withtime) [as <field>] by _sourceHost`

`| parse ... as status | withtime status | least_recent(status_withtime) [as <field>] by _sourceHost`

## Rules

* Default alias field is named `_mostrecent` or `_leastrecent`

## Examples

Find the most recent visitors to our site by IP.

Say we would like to keep an eye on visitors that hit our site from different countries. This query will provide the most recent IP addresses based on the logline message time:

```sumo
*ip* OR *address*
| parse regex "(?<IP>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| lookup latitude, longitude, country_code from geo://location on ip=IP
| where !isNull(country_code)
| withtime IP
| most_recent(ip_withtime) by country_code
```

produces results like:

<img src={useBaseUrl('img/search/searchquerylanguage/group-aggregate-operators/mostrecent.png')} alt="Most recent" style={{border: '1px solid gray'}} width="400" />

### Find the least recent action per user

Use `least_recent` to surface the oldest recorded action for each user:

```sumo
_sourceCategory=auth/login
| parse "user=* action=*" as user, action
| withtime action
| least_recent(action_withtime) as oldest_action by user
```