Splunk Enterprise Security

I need to get the very oldest log event displayed on a dashboard , any tricks to speeding this up?

Builder

All,

I need to make a dashboard providing evidence of compliance for our auditors. I was going to use the tail command but it's VERY slow even with the fact I only have a few hundred megs of data right now. Any tricks here to speed this up?

index=os source=/var/log/secure | table _raw | tail  1
0 Karma
1 Solution

Influencer
 index=os source=/var/log/secure  | stats earliest(_raw) as _raw

View solution in original post

0 Karma

Ultra Champion

Do you need the actual event itself, or just the timestamp of the oldest event?

For the latter, a | metadata search would be most efficient I guess. So something along the lines of:

| metadata type=sources index=os source=/var/log/secure 
| table firstTime,source 
| convert ctime(firstTime)
0 Karma

Builder

I actually need the entire event actually. But good call on the metadata command. Cool stuff.

0 Karma

Influencer
 index=os source=/var/log/secure  | stats earliest(_raw) as _raw

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

start by tailing before tableing
you are passing all the events in the world through the table command only to look for the last one

 index=os source=/var/log/secure 
    | tail  1
    | table _raw
0 Karma