Finding the earliestTime and latestTime of hot/war...

Deployment Architecture

I'm unclear if this is the correct way to go about finding the earliest/latest event time in a bucket.

| dbinspect index=wineventlog state=warm
| search tsidxState="full"
| eval sizeOnDiskGB=round(sizeOnDiskMB / 1024, 2)
| stats min(startEpoch) as earliestTime, max(endEpoch) as latestTime, count(path) as numberOfBuckets, sum(sizeOnDiskGB) as totalSizeOnDiskGB by splunk_server
| eval earliestTime=strftime(earliestTime,"%Y/%m/%d %H:%M:%S")
| eval latestTime=strftime(latestTime,"%Y/%m/%d %H:%M:%S")

For this example, i'm specifically looking at finding the earliestTime in warm buckets. I set the time picker and found a date that may be what I'm looking for. Although I'm not sure if this is how I should go about finding such info?

Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...