Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do i get Last Updated time for my index , and event data ??

rakesh_498115
Motivator
‎05-14-2013 06:44 AM

Hi..

I have a index called "mydata" , sourcetype="my_data" ..

my sample event is something likethis

2013-05-12:00:12:34 reportname="X" Request ##############
..................
.
.............

Here in my sample event , i need to know the LastUpdate for the different report_names ...I have following reportnames in the eventdata ..so i need the report like this..

reprot_name LastUpdateTime
X 2012-05-12:4:34:00
Y 2012-05-12:4:04:00

...

How can i get this ..Please help !!

Tags (3)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎05-14-2013 07:38 AM

if you just want to list the latest timestamp for each reportname, you can use :

index=mydata sourcetype=mysourcetype source=mysource | stats latest(_time) AS LastUpdateTime by reportname | table reportname LastUpdateTime | sort -reportname

for details, see http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions

Reply

linu1988
Champion
‎05-14-2013 06:59 AM

Hello Rakesh,
i would like to know how the monitor the data?

If the data is coming like you mentioned, doing a "table report_name, LastUpdateTime,_time|dedup report_name" will give you the latest records.

Reply

rakesh_498115
Motivator
‎05-14-2013 08:04 AM

report names will be coming the logfile only....can you pls give the script to send me the last update time...cause i dnt want the run the the search for all time to find the last recent time for all the reportnames..

0 Karma
Reply

linu1988
Champion
‎05-14-2013 07:34 AM

i wanted to know how the report names are being indexed. As an alternative you can also write a script and configure in inputs.conf to send you the last modified time for the report files.

0 Karma
Reply

rakesh_498115
Motivator
‎05-14-2013 07:17 AM

i dont the file LastUpdateTime . 😞 .its not working ..monitor the data ??

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...