https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99012#M20714 <P>do you mean you want a human readable date/time ? if yes add this to your search:</P> <PRE><CODE>| convert ctime(firstTime) </CODE></PRE> Thu, 22 Mar 2012 11:39:17 GMT MarioM 2012-03-22T11:39:17Z https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99011#M20713 <P>Is there a way to know the earliest event of a specific sourcetype and if the actual event can be viewed for validation?</P> <P>I tried the following but it returned an epoch time (earliest and latest) for different sourcetypes which I cannot validate by seeing the actual event.</P> <PRE><CODE>| metadata type=sourcetypes sourcetype=proofpoint | stats min(firstTime) as firstTime </CODE></PRE> Thu, 22 Mar 2012 06:28:43 GMT https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99011#M20713 mcm10285 2012-03-22T06:28:43Z https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99012#M20714 <P>do you mean you want a human readable date/time ? if yes add this to your search:</P> <PRE><CODE>| convert ctime(firstTime) </CODE></PRE> Thu, 22 Mar 2012 11:39:17 GMT https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99012#M20714 MarioM 2012-03-22T11:39:17Z https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99013#M20715 <P>The <CODE>metadata</CODE> search command won't show you events, just the "meta" data (hence the name) in the system catalog. If you want to see events of a certain sourcetype, you could just search for those:</P> <P>search sourcetype=foo</P> <P>To find the chronological first of these, you could try:</P> <P>search sourcetype=foo | tail </P> <P>(remembering that Splunk returns newest events first, and oldest events last).</P> Tue, 27 Mar 2012 16:07:25 GMT https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99013#M20715 sowings 2012-03-27T16:07:25Z https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99014#M20716 <P>Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:</P> <P><A href="https://splunkbase.splunk.com/app/3727/#/details">https://splunkbase.splunk.com/app/3727/#/details</A></P> <P>Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.</P> Mon, 09 Oct 2017 21:40:18 GMT https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99014#M20716 eckolp2003 2017-10-09T21:40:18Z https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99015#M20717 <P>You could use the <CODE>metadata</CODE> command as a subsearch, getting the firstTime as the latest time that Splunk should look at:</P> <PRE><CODE>sourcetype=proofpoint [| metadata type=sourcetypes | search sourcetype=proofpoint | stats min(firstTime) as latest by sourcetype | eval latest=latest+1] | stats earliest(_time) as _time, earliest(_raw) as event by sourcetype </CODE></PRE> <P>I tried this on a few of my sourcetypes and it seemed to do the trick. A couple of notes:</P> <OL> <LI>Set your timepicker to "All Time"</LI> <LI>By setting the minimum firstTime to latest in the subsearch, we are overriding the timepicker to use to search for anything older than the minimum firstTime we found.</LI> <LI>I added one to the latest time in the subsearch because Splunk translates latest=timestamp as _time</LI> </OL> Mon, 09 Oct 2017 23:14:01 GMT https://community.splunk.com/t5/Getting-Data-In/Earliest-event-in-a-sourcetype/m-p/99015#M20717 justinatpnnl 2017-10-09T23:14:01Z