So I need to monitor 53 different events. 

I need to know what time every event came in for the last 3 days. 

Hi @Fats120,

you need to know 53 generic events or specific (e.g. matching a string or a field)?

anyway you have to use the head command, something like this:

your_search
| head 53

Ciao.

Giuseppe

No i need a table to show what time all events in the last 3 days came in 

Sorry for not being clear enough 

Hi @Fats120,

did you tried something like this?

your_search
| head 53
| table _time

I'm not sure to understand you request because it's a too simple answer!

Ciao.

Giuseppe

Essentially the search needs to look into a CSV file and show a table of all the events that are coming in for the last 3 days, i tried this search you provided but no luck. 

Does your csv contain values that you want to search in your index over the last 3 days and extract the matching events?

Assuming your csv has a column called key and your events also have a field called key, you can do something like this

index=your index earliest=-3d@d latest=@d
  [| inputlookup your.csv | fields key]

If the field names between your csv and your index don't match, you can use rename the rename the field from the csv so that it matches the field in the indexed events

a time stamp of all events

Hi @Fats120,

at first how the rows of the CSV file are indexed in Splunk: in an index or in a lookup?

if in an index, you have to check if the "time" column of the csv is correctly associated to the timestamp or not.

if yes, you can run a search like this:

index=your_index
| head 53
| table _time

if it isn't associated to a timestamp but it's in a field called e.g. "time" and using the format "YYYY-mm-dd HH:MM:SS" you have to add an additional filter, something like this:

index=your_index 
| eval time=strptime(time,"%Y-%m-%d %H:%M:%S")
| where time>now()-3600*24*3
| head 53
| table _time

If instead the data are in a lookup and there a field called "time", you could run something like this:

| inputlookup your_lookup 
| eval time=strptime(time,"%Y-%m-%d %H:%M:%S")
| where time>now()-(3600*24*3)
| head 53
| table _time

Ciao.

Giuseppe

So you want to see WHEN the event arrived at the indexer? So tou need the see the indextime

index=your search | rename _indextime as indextime | eval indextime=strftime(indextime,"%Y-%m-%d %H:%M:%S") | table  _time indextime _raw

This shows:

_time = time splunk thinks it is

indexertime = time splunk saved thet data to disk

_raw = the event