Archive

What can be a light sanity check for content?

Ultra Champion

Our users would like to run queries, on a regular basis, which would show them that their data keeps flowing in without issues. One user came up with the following -
index=xxxxxx earliest=-1m | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

Is it reasonable? I think that tstats is better, right?

Tags (1)
0 Karma
1 Solution

Revered Legend

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

View solution in original post

0 Karma

Revered Legend

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

View solution in original post

0 Karma

Ultra Champion

Perfect!!!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!