Solved: What can be a light sanity check for content?

ddrillic · ‎02-20-2017

Our users would like to run queries, on a regular basis, which would show them that their data keeps flowing in without issues. One user came up with the following - index=xxxxxx earliest=-1m | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

Is it reasonable? I think that tstats is better, right?

somesoni2 · ‎02-20-2017

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

View solution in original post

somesoni2 · ‎02-20-2017

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

ddrillic · ‎02-20-2017

Perfect!!!

What can be a light sanity check for content?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

What can be a light sanity check for content?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions