from Lowell and dveuve's answer at
https://answers.splunk.com/answers/4119/how-to-return-time-of-first-event-in-an-index.html
You can get first/last information from your index like this using the metadata command, that is the fastest way to get this information:
| metadata index=foo type=hosts | stats max(lastTime), min(firstTime)
If you want to convert that into a more readable time format, try something like this:
| metadata index=foo type=hosts | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time)
Be aware that if you have one host sending data in with the wrong timestamp, that will show up here. Most of your data could be a week old, but that one host with NTP disabled and a time setting of 1.25 years ago will make you think you are meeting your data retention requirement.
linux files date info - this will give the first and last events dates.. which may or may not be the splunk environment's install date.
one simple idea -
ls -tl /SPLUNK_install_HOME/splunk/bin/*
the oldest file on this directory, will give you approximate date(considering you have not done any major upgrade)
work around -
to find the oldest 10 files under your splunk installation directory -
find /opt/splunk/ -type f -printf '%T+ %p\n' | sort | head -n 10
10 files, to get more clear picture.
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
