https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169258#M48357 <P>This search is <EM>extremely</EM> fast, and can give you basic info about sourcetypes</P> <PRE><CODE>| metadata type=sourcetypes index=euc </CODE></PRE> <P>You can also run this search with <CODE>type=hosts</CODE> and <CODE>type=sources</CODE>. You could create a dashboard with 3 panels and have one search in each panel. The <CODE>recentTime</CODE> in the result is the latest time that Splunk indexed data from that sourcetype (or host or source). The <CODE>lastTime</CODE> is the timestamp of the most recent event. In large environments, the metadata command might not be completely accurate, though. This command will look back as many days as it can.</P> <P>For the complete listing (which you could use the check the accuracy of the above technique), I would do this</P> <PRE><CODE>index=euc_ | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x %X") </CODE></PRE> <P>Since you are only looking at one index, the metadata command will probably be accurate.</P> Wed, 12 Aug 2015 17:00:37 GMT lguinn2 2015-08-12T17:00:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169257#M48356 <P>Hi,</P> <P>I need to show a customer that their logs are appearing in Splunk, and want to list the host, sourcetype, and source, along with the most recent event (with a nice date) going back 7 days. </P> <P>I can do most of it, but am having problems with the most recent event per sourcetype. I have the following:</P> <PRE><CODE>index=euc_* host=lyncqa*fe* |fields host, sourcetype, source |dedup host, sourcetype, source |table host, sourcetype, source </CODE></PRE> <P>Can someone help me?</P> Wed, 12 Aug 2015 14:01:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169257#M48356 a212830 2015-08-12T14:01:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169258#M48357 <P>This search is <EM>extremely</EM> fast, and can give you basic info about sourcetypes</P> <PRE><CODE>| metadata type=sourcetypes index=euc </CODE></PRE> <P>You can also run this search with <CODE>type=hosts</CODE> and <CODE>type=sources</CODE>. You could create a dashboard with 3 panels and have one search in each panel. The <CODE>recentTime</CODE> in the result is the latest time that Splunk indexed data from that sourcetype (or host or source). The <CODE>lastTime</CODE> is the timestamp of the most recent event. In large environments, the metadata command might not be completely accurate, though. This command will look back as many days as it can.</P> <P>For the complete listing (which you could use the check the accuracy of the above technique), I would do this</P> <PRE><CODE>index=euc_ | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x %X") </CODE></PRE> <P>Since you are only looking at one index, the metadata command will probably be accurate.</P> Wed, 12 Aug 2015 17:00:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169258#M48357 lguinn2 2015-08-12T17:00:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169259#M48358 <P>tstats might be a faster option as well</P> <PRE><CODE>| tstats latest(_time) as last where sourcetype=whatever | convert ctime(last) </CODE></PRE> Thu, 13 Aug 2015 01:06:54 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-show-the-latest-event-for-a-sourcetype/m-p/169259#M48358 maciep 2015-08-13T01:06:54Z