Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to see last time index was written to.

osmusem
New Member
‎11-13-2017 06:52 AM

I am trying to see the last time an index was written to so we can monitor it and make sure logs are still being received. I haven't really found anything that works. I was able to craft the search below, but it go through all of the logs and takes forever.

index=* | bucket _time span=1d as day | stats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S") | eval day=strftime(day,"%m/%d/%Y")

Any help would be appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:56 AM

| tstats latest(_time) WHERE index=* BY index

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-13-2017 07:56 AM

Try this query.

| rest /services/data/indexes splunk_server=local | sort title | table title maxTime
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

osmusem
New Member
‎11-14-2017 08:19 AM

This worked, too, however maxTime only displayed for one of the entries and not all of the indexes.

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 07:56 AM

| tstats latest(_time) WHERE index=* BY index

0 Karma
Reply
Solved! Jump to solution

osmusem
New Member
‎11-14-2017 08:18 AM

So this got me what I was looking for. However, I modified to the search below. The last thing I need is to figure out how to setup a where statement so it will display the indexes that have a latest(_time) of greater than an hour. Eventually, this will be turned into an alert where I would receive an email if an index hasn't been updated in more than an hour. Thanks for any help!

| tstats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S")

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎11-14-2017 08:38 AM

Try:

| tstats latest(_time) as Last by index | eval one_hour_ago=relative_time(now(), "-1h") | where Last<one_hour_ago | eval Last=strftime(Last,"%H:%M:%S")

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...