Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How come the output of our tstats command is not getting written to a CSV?

Arpit_S
Path Finder
‎12-27-2018 08:26 AM

Hi,

I am trying to create a lookup that has the names of all the indexes and the timestamp of the oldest event in that index.

I am running the below search for this:

|tstats earliest(_time) as oldestEvent by index | outputlookup abcd.csv

I ran this search for almost 3 hours, and even then, the search wasn't complete. Though, when hovering over the progress bar, I was able to see that the search had scanned 100% of the events, but there were no results in the CSV.

Can someone help me with this.

Regards,
Arpit

Tags (2)
0 Karma
Reply

p_gurav
Champion
‎12-27-2018 10:31 PM

Try this:

| metasearch index=* | stats earliest(_time) as earliest_time by index

0 Karma
Reply

Arpit_S
Path Finder
‎12-28-2018 04:52 AM

This search is also taking forever to run.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-27-2018 09:30 AM

@Arpit_S

Have you tried rest command??

| rest /services/data/indexes

Can you please confirm it's working for you?

| rest /services/data/indexes | table title minTime | rename minTime as oldestEvent, title as index | outputlookup abcd.csv

Thanks

0 Karma
Reply

Arpit_S
Path Finder
‎12-27-2018 10:45 AM

@kamlesh_vaghela I am able to run "| rest /services/data/indexes " but there is no value under minTime field for me.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-27-2018 09:29 PM

@Arpit_S

Did you get minTime field blank for all the indexes??

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...