Solved: What can be a light sanity check for content?

ddrillic · ‎02-20-2017

Our users would like to run queries, on a regular basis, which would show them that their data keeps flowing in without issues. One user came up with the following - index=xxxxxx earliest=-1m | stats latest(_time) as latestTime by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

Is it reasonable? I think that tstats is better, right?

somesoni2 · ‎02-20-2017

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

View solution in original post

somesoni2 · ‎02-20-2017

Tstats much better as it's faster. Since multiple users are going to run this, you need something faster.

| tstats latest(_time) as latestTime WHERE index=xxxxxx earliest=-1m by host sourcetype source | eval latestTime=strftime(latestTime,"%x,%X")

ddrillic · ‎02-20-2017

Perfect!!!

What can be a light sanity check for content?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

What can be a light sanity check for content?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25