While @RichG’s dedup option may work, here’s one that uses stats
index=ndx sourcetype=srctp clientType=* key=*
| eval comb=_time+" | "+key
| stats values(comb) as comb by clientType
| eval mostrecent=mvindex(comb,-1), secondrecent=mvindex(comb,-2)
| rex field=mostrecent "(?<timemost>\d+)\s\|\s(?<keymost>.+)"
| rex field=secondrecent "(?<timesecond>\d+)\s\|\s(?<keysecond>.+)"
| table clientType timemost keymost timesecond keysecond
| eval timemost=strftime(timemost,"%c"), timesecond=strftime(timesecond,"%c")
from User warren – Stack Overflow https://stackoverflow.com/questions/64336226/splunk-how-to-get-top-2-most-recent-values-for-each-group/64340338#64340338
via IFTTT