I am trying to do some planning for future growth of our Splunk environment, and as part of that, I need to find out how long I am retaining data with our current disk space. Is there a command or somewhere I can check to find out how old my oldest indexed data is? For obvious reasons, I'd rather not do a search over All Time on host names to accomplish this. We are on 4.05
Note that we retire data bucket-at-time, by the by the leading edge of the bucket, so in cases where your data is ragged you may have to inspect the data bucket by bucket to see where the leading edge is.
You can do this by running dir on the index directories and decoding the unix epoch time numbers, or by using the dbinspect command, eg
splunk> |dbinspect index=main span=1d |tail 40
This tells you for the oldest 40 days in your index, which buckets have that data. At the point where your oldest bucket stops being represented, that's this value. Change the span and tail values to suit.
You can also run
| dbinspect index=xxx timeformat="%s" | stats min(earliestTime),max(latestTime) | convert ctime(*Time). This does not run in distributed mode though. You can also get this information in distributed mode with
|metadata type=sourcetypes | stats min(firstTime),max(lastTime) | convert ctime(*Time)