Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see last time index was written to.

osmusem
New Member
‎11-13-2017 06:52 AM

I am trying to see the last time an index was written to so we can monitor it and make sure logs are still being received. I haven't really found anything that works. I was able to craft the search below, but it go through all of the logs and takes forever.

index=* | bucket _time span=1d as day | stats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S") | eval day=strftime(day,"%m/%d/%Y")

Any help would be appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:56 AM

| tstats latest(_time) WHERE index=* BY index

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2017 07:56 AM

Try this query.

| rest /services/data/indexes splunk_server=local | sort title | table title maxTime
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

osmusem
New Member
‎11-14-2017 08:19 AM

This worked, too, however maxTime only displayed for one of the entries and not all of the indexes.

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:56 AM

| tstats latest(_time) WHERE index=* BY index

0 Karma
Reply
Solved! Jump to solution

osmusem
New Member
‎11-14-2017 08:18 AM

So this got me what I was looking for. However, I modified to the search below. The last thing I need is to figure out how to setup a where statement so it will display the indexes that have a latest(_time) of greater than an hour. Eventually, this will be turned into an alert where I would receive an email if an index hasn't been updated in more than an hour. Thanks for any help!

| tstats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S")

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎11-14-2017 08:38 AM

Try:

| tstats latest(_time) as Last by index | eval one_hour_ago=relative_time(now(), "-1h") | where Last<one_hour_ago | eval Last=strftime(Last,"%H:%M:%S")

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...