Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Earliest event in a sourcetype

mcm10285
Communicator
‎03-21-2012 11:28 PM

Is there a way to know the earliest event of a specific sourcetype and if the actual event can be viewed for validation?

I tried the following but it returned an epoch time (earliest and latest) for different sourcetypes which I cannot validate by seeing the actual event.

| metadata type=sourcetypes sourcetype=proofpoint | stats min(firstTime) as firstTime
Tags (2)
0 Karma
Reply

justinatpnnl
Communicator
‎10-09-2017 04:14 PM

You could use the metadata command as a subsearch, getting the firstTime as the latest time that Splunk should look at:

sourcetype=proofpoint 
    [| metadata type=sourcetypes 
    | search sourcetype=proofpoint 
    | stats min(firstTime) as latest by sourcetype 
    | eval latest=latest+1] 
| stats earliest(_time) as _time, earliest(_raw) as event by sourcetype

I tried this on a few of my sourcetypes and it seemed to do the trick. A couple of notes:

  1. Set your timepicker to "All Time"
  2. By setting the minimum firstTime to latest in the subsearch, we are overriding the timepicker to use to search for anything older than the minimum firstTime we found.
  3. I added one to the latest time in the subsearch because Splunk translates latest=timestamp as _time
Reply

eckolp2003
Path Finder
‎10-09-2017 02:40 PM

Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:

https://splunkbase.splunk.com/app/3727/#/details

Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎03-27-2012 09:07 AM

The metadata search command won't show you events, just the "meta" data (hence the name) in the system catalog. If you want to see events of a certain sourcetype, you could just search for those:

search sourcetype=foo

To find the chronological first of these, you could try:

search sourcetype=foo | tail

(remembering that Splunk returns newest events first, and oldest events last).

0 Karma
Reply

MarioM
Motivator
‎03-22-2012 04:39 AM

do you mean you want a human readable date/time ? if yes add this to your search:

| convert ctime(firstTime)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...