All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cheap way to find min(_indextime) without walking all the indexes backwards?

neiljpeterson
Communicator
‎04-24-2014 10:23 AM

I want to find the earliest _indextime by host for all my indexes. Specifically I need to know when the each forwarder first started indexing data... NOT the earliest timestamp of an event, but when the data itself was actually forwarded and indexed.

I can do this obviously

index=* | chart min(_indextime) as first by host | fieldformat "first"=strftime('first', "%c")

but it takes a while. Is there a way to do this more cheaply?

Here is an almost identical question: http://answers.splunk.com/answers/81718/search-for-oldest-event-in-splunk-by-_indextime-to-test-data... But unfortunately metadata and firsttime return min(_time) not min(_indextime) AFAIK

What is the easiest way to quickly grab the earliest _indextime by host without searching every event in every index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-24-2014 01:42 PM

This should be pretty brisk:

| tstats min(_indextime) where (index=* OR index=_*) by host

Run over all time, takes a lot less time than your example on my dev machine. Change the where if you're only looking for a specific index.

This search has completed and has returned 2 results by scanning 3,381,336 events in 4.096 seconds.

About a million EPS on a single machine with only one drive 😄
For comparison, the other way takes a bit longer, only about 60000 EPS:

index=* OR index=_* | stats min(_indextime) by host
This search has completed and has returned 2 result by scanning 3,381,718 events in 55.554 seconds.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-24-2014 01:42 PM

This should be pretty brisk:

| tstats min(_indextime) where (index=* OR index=_*) by host

Run over all time, takes a lot less time than your example on my dev machine. Change the where if you're only looking for a specific index.

This search has completed and has returned 2 results by scanning 3,381,336 events in 4.096 seconds.

About a million EPS on a single machine with only one drive 😄
For comparison, the other way takes a bit longer, only about 60000 EPS:

index=* OR index=_* | stats min(_indextime) by host
This search has completed and has returned 2 result by scanning 3,381,718 events in 55.554 seconds.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...