Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Oldest event from source or sourcetype

suhprano
Path Finder
‎05-05-2011 10:34 AM

I have a distributed index model and I would like to use the search head to find out what the oldest event is per source or sourcetype.

I tried using the metadata command but nothing comes up, do I have to do this search on the indexer? Is there a way to search this just on the search head?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-05-2011 02:04 PM

suhprano,

The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:

| metadata type=sources index=*

Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).

Update:
Based on your comment below make sure you are using valid types. Valid types are:

type=sources
type=hosts
type=sourcetypes

View solution in original post

Reply
Solved! Jump to solution

usethedata
Path Finder
‎09-21-2013 06:10 PM

I wanted the timestamp of the oldest event to be in human interpretable form, so I added a strftime call. For me, to find the oldest record from my vpn log source, I used 

| metadata type=sources index=* | where source="/log/sources/myvpn/myvpn.log" | eval str_firstTime=strftime(firstTime,"%Y-%m-%d %H:%M")

That gave me the oldest event for that particular source in a format that was easy to read

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-05-2011 02:04 PM

suhprano,

The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:

| metadata type=sources index=*

Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).

Update:
Based on your comment below make sure you are using valid types. Valid types are:

type=sources
type=hosts
type=sourcetypes
Reply
Solved! Jump to solution

suhprano
Path Finder
‎05-06-2011 10:35 AM

Thanks for the info, but it appears that it only retrieves one epoch time for all source/sourcetypes. Is there a way to find the oldest event regarding a particular sourcetype?

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎05-05-2011 04:13 PM

Your search looks good except for type=sourcestypes. Should either be type=sources or type=sourcetypes

0 Karma
Reply
Solved! Jump to solution

suhprano
Path Finder
‎05-05-2011 02:13 PM

Sorry, I'm still not seeing it. I'm also trying on the actual indexes and nothing comes up. This is the search I'm running:

| metadata type=sourcestypes index=*| stats min(firstTime) as firstTime

Could it be the (firstTime) field? I don't know if that's the right syntax or parameter I should be passing.

Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...