Archive
Highlighted

way to identify data not indexed

New Member

hi all,
recently, following an update to Splunk 6.4.3 we are having trouble finding data with searches that worked before. We suspect it is related to re-indexing during the update. Is there a way to identify if there is data which still needs to be indexed?

0 Karma
Highlighted

Re: way to identify data not indexed

Champion

this search will list out the hosts and their last time these host sent any data to splunk(sort lastTime).

| metadata type=hosts 
  | fields host firstTime lastTime totalCount
  | fieldformat firstTime=strftime(firstTime,"%x %X")
  | fieldformat lastTime=strftime(lastTime,"%x %X")
  | sort lastTime
0 Karma