topic Re: how to find the earliest and latest event in an index? in Splunk Search

how to find the earliest and latest event in an index?

hiddenkirby — Fri, 01 Oct 2010 02:21:35 GMT

I simply looking for the fist event in an index and the last... to determine how long it took to index x data.

any suggestions? i couldn't seem to figure out that query.

Re: how to find the earliest and latest event in an index?

Lowell — Fri, 01 Oct 2010 02:25:17 GMT

You can look at the index event times using something like this:

| metadata index=main type=hosts | stats min(firstTime) max(lastTime)

Or, to examine individual events, you can compare the _time and _indextime fields:

 index=main | eval lag=_indextime-_time | stats avg(lag) ...

Do either of these help?

Re: how to find the earliest and latest event in an index?

ziegfried — Fri, 01 Oct 2010 02:25:56 GMT

Do you mean the time when the event has been indexed? Then the query would be:

index=<your_index> | stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)

Re: how to find the earliest and latest event in an index?

hiddenkirby — Fri, 01 Oct 2010 02:40:18 GMT

whats the difference between _indextime and _time?

Re: how to find the earliest and latest event in an index?

ziegfried — Fri, 01 Oct 2010 02:42:13 GMT

_indextime is always the time when the event has been index. _time can be a different time, for example when the time found within an event is used

Re: how to find the earliest and latest event in an index?

ziegfried — Mon, 28 Sep 2020 09:18:21 GMT

_time and _indextime are only equal when you use DATETIME_CONFIG = current in your props config of if no timestamp was detected in the event.

Re: how to find the earliest and latest event in an index?

hiddenkirby — Fri, 01 Oct 2010 02:48:35 GMT

This was helpful.

Re: how to find the earliest and latest event in an index?

hiddenkirby — Mon, 28 Sep 2020 09:18:24 GMT

i ended up w/ max(_time) and min(_time) .. convert was very helpful. thank you both.

Re: how to find the earliest and latest event in an index?

hiddenkirby — Fri, 01 Oct 2010 02:49:34 GMT

i do have DATATIME_CONFIG = current.

Re: how to find the earliest and latest event in an index?

joy76 — Wed, 21 Jan 2015 08:36:54 GMT

look at
Settings > DATA > Indexes menu.
There are earliest and last event time by Index.

Re: how to find the earliest and latest event in an index?

damode — Thu, 16 Nov 2017 00:07:26 GMT

Hi Lowell,

When I try this command, | metadata index=main type=hosts | stats min(firstTime) max(lastTime), all I get is two columns, min(firstTime) max(lastTime) with time in seconds.

Can you please advise where I am getting it wrong ?
Thanks.
Dev

Re: how to find the earliest and latest event in an index?

khourihan_splun — Fri, 03 May 2019 21:28:27 GMT

Try this
| metadata index=main type=hosts | stats min(firstTime) max(lastTime) by host

Re: how to find the earliest and latest event in an index?

claudio_manig — Wed, 10 Feb 2021 16:13:23 GMT

I know thats an old post but i wanted to share a way more efficient solution to get latest timestamp by each index in a "metadata" manor:

| rest /services/data/indexes | stats max(maxTime) by title

Hop that helps others-

Cheers