Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do i get Last Updated time for my index , and event data ??

rakesh_498115
Motivator
‎05-14-2013 06:44 AM

Hi..

I have a index called "mydata" , sourcetype="my_data" ..

my sample event is something likethis

2013-05-12:00:12:34 reportname="X" Request ##############
..................
.
.............

Here in my sample event , i need to know the LastUpdate for the different report_names ...I have following reportnames in the eventdata ..so i need the report like this..

reprot_name LastUpdateTime
X 2012-05-12:4:34:00
Y 2012-05-12:4:04:00

...

How can i get this ..Please help !!

Tags (3)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎05-14-2013 07:38 AM

if you just want to list the latest timestamp for each reportname, you can use :

index=mydata sourcetype=mysourcetype source=mysource | stats latest(_time) AS LastUpdateTime by reportname | table reportname LastUpdateTime | sort -reportname

for details, see http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions

Reply

linu1988
Champion
‎05-14-2013 06:59 AM

Hello Rakesh,
i would like to know how the monitor the data?

If the data is coming like you mentioned, doing a "table report_name, LastUpdateTime,_time|dedup report_name" will give you the latest records.

Reply

rakesh_498115
Motivator
‎05-14-2013 08:04 AM

report names will be coming the logfile only....can you pls give the script to send me the last update time...cause i dnt want the run the the search for all time to find the last recent time for all the reportnames..

0 Karma
Reply

linu1988
Champion
‎05-14-2013 07:34 AM

i wanted to know how the report names are being indexed. As an alternative you can also write a script and configure in inputs.conf to send you the last modified time for the report files.

0 Karma
Reply

rakesh_498115
Motivator
‎05-14-2013 07:17 AM

i dont the file LastUpdateTime . 😞 .its not working ..monitor the data ??

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...