Solved: How do I return the time of the first event from a...

MikeyG · ‎10-08-2010

Need to determine the date and time of when a specific host first logged to Splunk ...

ziegfried · ‎10-08-2010

If you're looking for the date/time of the event (ie. what the value Splunk has extracted from the Event), use this search:

single host:

| metadata type=hosts index=main | search host=<YOUR HOST> | convert ctime(firstTime) | table host firstTime

all hosts:

| metadata type=hosts index=main | convert ctime(firstTime) | table host firstTime

If you're looking for when the first event has been indexed use this search: (Select All time in the time range picker - may take a while)

single host:

index=main host=<YOUR HOST> | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

all hosts:

index=main | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

MikeyG · ‎10-08-2010

That time/date would be outside the data that's currently in the main index ...

ziegfried · ‎10-08-2010

If you're looking for the date/time of the event (ie. what the value Splunk has extracted from the Event), use this search:

single host:

| metadata type=hosts index=main | search host=<YOUR HOST> | convert ctime(firstTime) | table host firstTime

all hosts:

| metadata type=hosts index=main | convert ctime(firstTime) | table host firstTime

If you're looking for when the first event has been indexed use this search: (Select All time in the time range picker - may take a while)

single host:

index=main host=<YOUR HOST> | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

all hosts:

index=main | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime

How do I return the time of the first event from a specific host in the main index?