Re: How do I create a search that displays Host, T...

JoshuaJ · ‎09-15-2014

When I first log in to Splunk, one of the first things I see is called "Data Summary" (under what to search) which displays the host, total number of events indexed, earliest event, and the latest event from each host. I'm trying the recreate this table with very little success so hopefully you can help me out.

So far I have this:
* | stats count by host | sort by -count

This gives me a table with the host and total event count in descending order, but I can't figure out how to display the earliest and latest events. Any ideas? Thanks.

lguinn2 · ‎09-15-2014

Splunk uses the metadata command to produce the Data Summary. Try this

| metadata type=hosts
| fields host firstTime lastTime totalCount
| sort -totalCount
| fieldformat firstTime=strftime(firstTime,"%x %X")
| fieldformat lastTime=strftime(lastTime,"%x %X")

This will be much, much faster than using stats.

How do I create a search that displays Host, Total Event Count, Latest Event, and Earliest Event?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation