Forwarder Installation date - Audit


Hi Splunkers,

I want list of all the forwarders with their first installation date or exactly since when they are sending data to Indexers.

Can someone please provide any details on this. Appreciate your help on this. Thanks !

Labels (1)
0 Karma

Ultra Champion

Hi @ramprakash
Use the metadata command:

| metadata type=hosts index=_internal | eval first_connected=strftime(firstTime, "%Y/%m/%d %H:%M:%s")
| table host first_connected

This will show you the earliest event from Splunk for your hosts, you can then search with |search host=xxx

If my comment helps, please give it a thumbs up!


To add to @nickhillscpl answer:
Set the time range picker to "All Time".
Also note that this search will retrieve the earliest events in the _internal index which are still available in Splunk. Older events might have been discarded due to exceeded retention periods or full indexes.


yes older events have been discarded. This query is not giving me results i wanted.

Is there any other query which will give me first installation date.

0 Karma

Ultra Champion

Thanks @whrg - I should have noted that!

If your _internal retention is shorter than your application/security data, you can always switch to index=myindex to look at the earliest event from a specific index

If my comment helps, please give it a thumbs up!



You can try using below query to get first event come from forwarder:

index=_* | stats earliest(_time) as FirstAppearance by host
0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...