Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see last time index was written to.

osmusem
New Member
‎11-13-2017 06:52 AM

I am trying to see the last time an index was written to so we can monitor it and make sure logs are still being received. I haven't really found anything that works. I was able to craft the search below, but it go through all of the logs and takes forever.

index=* | bucket _time span=1d as day | stats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S") | eval day=strftime(day,"%m/%d/%Y")

Any help would be appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:56 AM

| tstats latest(_time) WHERE index=* BY index

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2017 07:56 AM

Try this query.

| rest /services/data/indexes splunk_server=local | sort title | table title maxTime
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

osmusem
New Member
‎11-14-2017 08:19 AM

This worked, too, however maxTime only displayed for one of the entries and not all of the indexes.

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:56 AM

| tstats latest(_time) WHERE index=* BY index

0 Karma
Reply
Solved! Jump to solution

osmusem
New Member
‎11-14-2017 08:18 AM

So this got me what I was looking for. However, I modified to the search below. The last thing I need is to figure out how to setup a where statement so it will display the indexes that have a latest(_time) of greater than an hour. Eventually, this will be turned into an alert where I would receive an email if an index hasn't been updated in more than an hour. Thanks for any help!

| tstats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S")

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎11-14-2017 08:38 AM

Try:

| tstats latest(_time) as Last by index | eval one_hour_ago=relative_time(now(), "-1h") | where Last<one_hour_ago | eval Last=strftime(Last,"%H:%M:%S")

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...