Find out index of hosts sending new since 24hrs

Splunk Search

Hi
I wanted to write a search that show all hosts that sends new since 24hrs into Splunk. The problem now is that I want to see in which index, these hosts deliver. For the first part I wrote the following search.

| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-24h")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| search host!="*_*"
| table host, firstTime, recentTime
| join [|tstats latest(_time) as firsttwoTime where (index=* OR index=_*) by host, index
| table index, host]
| table index, host, firstTime, recentTime

The problem now is that this search is really slow, is there any other search that would be more efficient?

Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Are you a member of the Splunk Community?