topic Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update? in Splunk Search

Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 10:28:59 GMT

Is there a fast way to search all indexes to list just the index name and the time/date of the last event or update?
My searches are taking entirely too long. I tried an 'eventcount' search which runs fast, but it only provides sourcetype names and not the index names.

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

richgalloway — Tue, 24 May 2016 13:05:58 GMT

Does it have to be a query? The Settings->Indexes screen shows the information you seek.

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

sjohnson_splunk — Tue, 24 May 2016 13:16:05 GMT

You should be able to use a rest command to get the results:

|rest /services/data/indexes | table title

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 13:19:32 GMT

that doesn't give the time/date of the last event

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

ryanoconnor — Tue, 24 May 2016 13:23:19 GMT

This should get you what you need:

index=* 
| stats latest(_time) as latestTime by index
| eval latestTime=strftime(latestTime,"%x %X")

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

richgalloway — Tue, 24 May 2016 13:27:08 GMT

This does:

|rest /services/data/indexes | table title updated

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 13:29:51 GMT

That looks to work but it runs too slow. Any query I run starting with Index=* runs too slow

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 13:31:06 GMT

|rest /services/data/indexes | table title updated

this gives duplicate index names

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

splunkton — Tue, 24 May 2016 13:32:53 GMT

Give a shot hope fully it solves your query

index=* | eval latest=now()|table index latest converttime |eval converttime=strftime(latest,"%m/%d/%y %H:%M:%S") |dedup index latest

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 13:37:15 GMT

That looks to work but it runs too slow. Any query I run starting with Index=* runs too slow
I was hoping something faster using dbinspect or tstats

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

richgalloway — Tue, 24 May 2016 13:40:15 GMT

Of course, it does. Your indexes reside on multiple indexers with different update times. If you don't want duplicates you have a couple of options.

 |rest /services/data/indexes | dedup title | table title updated

 |rest /services/data/indexes | stats first(updated) by title

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

ryanoconnor — Tue, 24 May 2016 13:43:26 GMT

This might be faster:

| eventcount summarize=false index=* index=_* 
| dedup index | fields index  | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\"
| eval index=\"$index$\"" | eval latestTime=strftime(lastTime,"%x %X") | table latestTime index | stats max(latestTime) by index

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

splunkton — Tue, 24 May 2016 13:44:15 GMT

try this

| tstats latest(_time) as latest by index |eval converttime=strftime(latest,"%m/%d/%y %H:%M:%S")|fields index converttime

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 13:44:37 GMT

That runs quick, thx!

Re: Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

jwleppert — Tue, 24 May 2016 13:47:25 GMT

Error in 'map': Did not find value for required attribute 'index'.