Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I return the time of the first event from a specific host in the main index?

MikeyG
Explorer
‎10-08-2010 04:41 PM

Need to determine the date and time of when a specific host first logged to Splunk ...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎10-08-2010 04:49 PM

If you're looking for the date/time of the event (ie. what the value Splunk has extracted from the Event), use this search:

single host:

| metadata type=hosts index=main | search host=<YOUR HOST> | convert ctime(firstTime) | table host firstTime

all hosts:

| metadata type=hosts index=main | convert ctime(firstTime) | table host firstTime

If you're looking for when the first event has been indexed use this search: (Select All time in the time range picker - may take a while)

single host:

index=main host=<YOUR HOST> | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

all hosts:

index=main | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

View solution in original post

Reply
Solved! Jump to solution

MikeyG
Explorer
‎10-08-2010 05:10 PM

That time/date would be outside the data that's currently in the main index ...

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎10-08-2010 04:49 PM

If you're looking for the date/time of the event (ie. what the value Splunk has extracted from the Event), use this search:

single host:

| metadata type=hosts index=main | search host=<YOUR HOST> | convert ctime(firstTime) | table host firstTime

all hosts:

| metadata type=hosts index=main | convert ctime(firstTime) | table host firstTime

If you're looking for when the first event has been indexed use this search: (Select All time in the time range picker - may take a while)

single host:

index=main host=<YOUR HOST> | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

all hosts:

index=main | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...