Archive

How do i get Last Updated time for my index , and event data ??

Motivator

Hi..

I have a index called "mydata" , sourcetype="my_data" ..

my sample event is something likethis

2013-05-12:00:12:34 reportname="X" Request ##############
..................
.
.............

Here in my sample event , i need to know the LastUpdate for the different report_names ...I have following reportnames in the eventdata ..so i need the report like this..

reprot_name LastUpdateTime
X 2012-05-12:4:34:00
Y 2012-05-12:4:04:00

...

How can i get this ..Please help !!

Tags (3)
0 Karma

Splunk Employee
Splunk Employee

if you just want to list the latest timestamp for each reportname, you can use :

index=mydata sourcetype=mysourcetype source=mysource | stats latest(_time) AS LastUpdateTime by reportname | table reportname LastUpdateTime | sort -reportname

for details, see http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions

Champion

Hello Rakesh,
i would like to know how the monitor the data?

If the data is coming like you mentioned, doing a "table report_name, LastUpdateTime,_time|dedup report_name" will give you the latest records.

Motivator

report names will be coming the logfile only....can you pls give the script to send me the last update time...cause i dnt want the run the the search for all time to find the last recent time for all the reportnames..

0 Karma

Champion

i wanted to know how the report names are being indexed. As an alternative you can also write a script and configure in inputs.conf to send you the last modified time for the report files.

0 Karma

Motivator

i dont the file LastUpdateTime . 😞 .its not working ..monitor the data ??

0 Karma