topic Re: How do I find the first firewall entry? in Security

How do I find the first firewall entry?

nick598660 — Tue, 19 Feb 2019 15:45:27 GMT

Hello Everyone,

I need some help figuring out how far back my firewall logs go. If I set the time picker to "All Time", and just search for Cisco ASA, I get 20 pages of events from today.

Any ideas on how I can locate when I first started getting logs into Splunk from my firewall?

Re: How do I find the first firewall entry?

whrg — Tue, 19 Feb 2019 18:05:27 GMT

Hello @nick598660,

You can use the metadata command to list the timestamps of the first event and of last the event for a list of sourcetypes/hosts/sources.

Try something like this:

| metadata type=sourcetypes index=YOURINDEX
| rename firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update"
| fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")

The web page under Settings / Indexes also lists the earliest event and the latest event for each index.

If the log volume is not too big, then you could also run a simple tail command to retrieve the first event. Set the time picker to "All Time":

index=YOURINDEX sourcetype=YOURSOURCETYPE | tail 1

Re: How do I find the first firewall entry?

nick598660 — Tue, 19 Feb 2019 19:38:00 GMT

That is exactly what I was looking for. Thank You!