All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cheap way to find min(_indextime) without walking all the indexes backwards?

neiljpeterson
Communicator
‎04-24-2014 10:23 AM

I want to find the earliest _indextime by host for all my indexes. Specifically I need to know when the each forwarder first started indexing data... NOT the earliest timestamp of an event, but when the data itself was actually forwarded and indexed.

I can do this obviously

index=* | chart min(_indextime) as first by host | fieldformat "first"=strftime('first', "%c")

but it takes a while. Is there a way to do this more cheaply?

Here is an almost identical question: http://answers.splunk.com/answers/81718/search-for-oldest-event-in-splunk-by-_indextime-to-test-data... But unfortunately metadata and firsttime return min(_time) not min(_indextime) AFAIK

What is the easiest way to quickly grab the earliest _indextime by host without searching every event in every index?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-24-2014 01:42 PM

This should be pretty brisk:

| tstats min(_indextime) where (index=* OR index=_*) by host

Run over all time, takes a lot less time than your example on my dev machine. Change the where if you're only looking for a specific index.

This search has completed and has returned 2 results by scanning 3,381,336 events in 4.096 seconds.

About a million EPS on a single machine with only one drive 😄
For comparison, the other way takes a bit longer, only about 60000 EPS:

index=* OR index=_* | stats min(_indextime) by host
This search has completed and has returned 2 result by scanning 3,381,718 events in 55.554 seconds.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-24-2014 01:42 PM

This should be pretty brisk:

| tstats min(_indextime) where (index=* OR index=_*) by host

Run over all time, takes a lot less time than your example on my dev machine. Change the where if you're only looking for a specific index.

This search has completed and has returned 2 results by scanning 3,381,336 events in 4.096 seconds.

About a million EPS on a single machine with only one drive 😄
For comparison, the other way takes a bit longer, only about 60000 EPS:

index=* OR index=_* | stats min(_indextime) by host
This search has completed and has returned 2 result by scanning 3,381,718 events in 55.554 seconds.
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...