How do I show the latest event for a sourcetype?

a212830 · ‎08-12-2015

Hi,

I need to show a customer that their logs are appearing in Splunk, and want to list the host, sourcetype, and source, along with the most recent event (with a nice date) going back 7 days.

I can do most of it, but am having problems with the most recent event per sourcetype. I have the following:

index=euc_*  host=lyncqa*fe* |fields host, sourcetype, source |dedup host, sourcetype, source |table host, sourcetype, source

Can someone help me?

maciep · ‎08-12-2015

tstats might be a faster option as well

| tstats latest(_time) as last where sourcetype=whatever | convert ctime(last)

lguinn2 · ‎08-12-2015

This search is extremely fast, and can give you basic info about sourcetypes

| metadata type=sourcetypes index=euc

You can also run this search with type=hosts and type=sources. You could create a dashboard with 3 panels and have one search in each panel. The recentTime in the result is the latest time that Splunk indexed data from that sourcetype (or host or source). The lastTime is the timestamp of the most recent event. In large environments, the metadata command might not be completely accurate, though. This command will look back as many days as it can.

For the complete listing (which you could use the check the accuracy of the above technique), I would do this

index=euc_
| stats latest(_time) as latestTime by  host sourcetype source
| eval latestTime=strftime(latestTime,"%x %X")

Since you are only looking at one index, the metadata command will probably be accurate.

How do I show the latest event for a sourcetype?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor