Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Earliest event in a sourcetype

mcm10285
Communicator
‎03-21-2012 11:28 PM

Is there a way to know the earliest event of a specific sourcetype and if the actual event can be viewed for validation?

I tried the following but it returned an epoch time (earliest and latest) for different sourcetypes which I cannot validate by seeing the actual event.

| metadata type=sourcetypes sourcetype=proofpoint | stats min(firstTime) as firstTime
Tags (2)
0 Karma
Reply

justinatpnnl
Communicator
‎10-09-2017 04:14 PM

You could use the metadata command as a subsearch, getting the firstTime as the latest time that Splunk should look at:

sourcetype=proofpoint 
    [| metadata type=sourcetypes 
    | search sourcetype=proofpoint 
    | stats min(firstTime) as latest by sourcetype 
    | eval latest=latest+1] 
| stats earliest(_time) as _time, earliest(_raw) as event by sourcetype

I tried this on a few of my sourcetypes and it seemed to do the trick. A couple of notes:

  1. Set your timepicker to "All Time"
  2. By setting the minimum firstTime to latest in the subsearch, we are overriding the timepicker to use to search for anything older than the minimum firstTime we found.
  3. I added one to the latest time in the subsearch because Splunk translates latest=timestamp as _time
Reply

eckolp2003
Path Finder
‎10-09-2017 02:40 PM

Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:

https://splunkbase.splunk.com/app/3727/#/details

Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎03-27-2012 09:07 AM

The metadata search command won't show you events, just the "meta" data (hence the name) in the system catalog. If you want to see events of a certain sourcetype, you could just search for those:

search sourcetype=foo

To find the chronological first of these, you could try:

search sourcetype=foo | tail

(remembering that Splunk returns newest events first, and oldest events last).

0 Karma
Reply

MarioM
Motivator
‎03-22-2012 04:39 AM

do you mean you want a human readable date/time ? if yes add this to your search:

| convert ctime(firstTime)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...