topic Re: I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up? in Splunk Enterprise Security

I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?

daniel333 — Tue, 10 Apr 2018 23:22:45 GMT

All,

I need to make a dashboard providing evidence of compliance for our auditors. I was going to use the tail command but it's VERY slow even with the fact I only have a few hundred megs of data right now. Any tricks here to speed this up?

index=os source=/var/log/secure | table _raw | tail  1

Re: I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?

adonio — Tue, 10 Apr 2018 23:25:43 GMT

start by tailing before tableing
you are passing all the events in the world through the table command only to look for the last one

 index=os source=/var/log/secure 
    | tail  1
    | table _raw

Re: I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?

masonmorales — Wed, 11 Apr 2018 03:54:00 GMT

 index=os source=/var/log/secure  | stats earliest(_raw) as _raw

Re: I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?

FrankVl — Wed, 11 Apr 2018 07:39:30 GMT

Do you need the actual event itself, or just the timestamp of the oldest event?

For the latter, a | metadata search would be most efficient I guess. So something along the lines of:

| metadata type=sources index=os source=/var/log/secure 
| table firstTime,source 
| convert ctime(firstTime)

Re: I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?

daniel333 — Wed, 11 Apr 2018 22:35:03 GMT

I actually need the entire event actually. But good call on the metadata command. Cool stuff.