topic Re: How to get an output containing all host details along with their last update times? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700092#M237591 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272523">@Sangeeta_1</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">| tstats count latest(_time) AS _time WHERE index=* BY host | table host -time</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Sep 2024 12:48:58 GMT gcusello 2024-09-25T12:48:58Z How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700061#M237586 <P>How to get an output containing all host details of all time along with their last update times?&nbsp;</P> <P>Below search is taking huge time, how to get this optimized for faster search -</P> <LI-CODE lang="markup">index=*| fields host, _time | stats max(_time) as last_update_time by host | eval t=now() | eval days_since_last_update=tonumber(strftime((t-last_update_time),"%d"))-1 | where days_since_last_update&gt;30 | eval last_update_time=strftime(last_update_time, "%Y-%m-%d %H:%M:%S") | table last_update_time host days_since_last_update</LI-CODE> <P>&nbsp;</P> Wed, 25 Sep 2024 14:14:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700061#M237586 Sangeeta_1 2024-09-25T14:14:28Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700065#M237588 <LI-CODE lang="markup">| metadata type=hosts index=*</LI-CODE> Wed, 25 Sep 2024 08:09:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700065#M237588 ITWhisperer 2024-09-25T08:09:03Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700092#M237591 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272523">@Sangeeta_1</a>&nbsp;,</P><P>please try this:</P><LI-CODE lang="markup">| tstats count latest(_time) AS _time WHERE index=* BY host | table host -time</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Sep 2024 12:48:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700092#M237591 gcusello 2024-09-25T12:48:58Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700102#M237594 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;for the help. But I am getting future dates like below, but the search was for the last time when I am getting any event w.r.t all the host. I have selected date range as all time. Can you please suggest here?</P><TABLE width="300px"><TBODY><TR><TD width="299.333px">2031-12-11 08:40:08</TD></TR><TR><TD width="299.333px">2025-01-11 09:05:56</TD></TR><TR><TD width="299.333px">2024-10-30 08:12:49</TD></TR></TBODY></TABLE> Wed, 25 Sep 2024 15:14:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700102#M237594 Sangeeta_1 2024-09-25T15:14:07Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700104#M237595 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Thanks for your comment, but metadata contains limited to a certain time in history, like I can get the data for only last 30 days or so.</P> Wed, 25 Sep 2024 15:15:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700104#M237595 Sangeeta_1 2024-09-25T15:15:37Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700106#M237597 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272523">@Sangeeta_1</a>&nbsp;,</P><P>with my search you should have the latest timestamp for each host, if you have future dates, probably you have some event not correctly parsed because it has future timestamps.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 25 Sep 2024 15:37:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700106#M237597 gcusello 2024-09-25T15:37:59Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700126#M237608 <P>Does using alltime help?</P> Wed, 25 Sep 2024 18:49:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700126#M237608 ITWhisperer 2024-09-25T18:49:44Z Re: How to get an output containing all host details along with their last update times? https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700159#M237626 <P>This should be fast enough</P><LI-CODE lang="markup">| tstats max(_time) AS _time WHERE index=* BY host | where relative_time(now(), "-30d") &gt; _time | reltime | rename reltime as since_last_update | eval last_update_time = strftime(_time, "%F %T")</LI-CODE> Thu, 26 Sep 2024 04:11:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-an-output-containing-all-host-details-along-with/m-p/700159#M237626 yuanliu 2024-09-26T04:11:04Z