topic Re: Query to find newly added sourcetypes in Splunk Search

Query to find newly added sourcetypes

kteng2024 — Tue, 28 Mar 2017 22:01:46 GMT

Hi,

I am using below query to find the newly added sourcetypes .

| metadata type=sourcetypes | eval time=now()-firstTime | where time

Re: Query to find newly added sourcetypes

woodcock — Tue, 28 Mar 2017 22:27:18 GMT

This tells you sourcetypes which are new in the last week ( 7 days):

| metadata type=sourcetypes 
| eval firstAgoSeconds=now()-firstTime 
| where firstAgoSeconds < (7 * 24 * 60 * 60)
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(firstTime) ctime(lastTime) ctime(recentTime)

Re: Query to find newly added sourcetypes

woodcock — Wed, 29 Mar 2017 00:08:00 GMT

@piebob, this is a duplicate:

https://answers.splunk.com/answers/514972/sort-the-query-based-on-firstime-and-count.html#answer-516065

Re: Query to find newly added sourcetypes

vn_g — Fri, 23 Apr 2021 11:09:05 GMT

| metadata type=sourcetypes index="*"
| addinfo
| where (firstTime > info_min_time AND firstTime < info_max_time)

The above helps when you want to filter the value selected from TimeRangepicker.