Solved: How to Search to show any new logs/indexes added t...

wgph96 · ‎08-08-2022

I am creating a dashboard to show any new logs that are added to our environment within a period of time.

For example - if we started ingesting AWS logs and Azure logs 2 days ago is there a way I can create a dashboard that shows these 2 new ingestions?

I am having trouble making a search query that can display a new value with the name of the recently added index added to the environment. Does anyone have any suggestions on how to solve this? Thanks.

somesoni2 · ‎08-08-2022

Give this a try. Use a larger time-range (e.g. last 7 days) and adjust filter as necessary. Current example searches for new data that was added within last 2 days (searching data for last 7 days).

|  tstats min(_indextime) as IngestTime WHERE index=* OR index=_* earliest=-7d by index sourcetype 
|  convert ctime(IngestTime) as IngestTimeHuman 
|  where IngestTime> relative_time(now(),"-24h")

View solution in original post

somesoni2 · ‎08-08-2022

Give this a try. Use a larger time-range (e.g. last 7 days) and adjust filter as necessary. Current example searches for new data that was added within last 2 days (searching data for last 7 days).

|  tstats min(_indextime) as IngestTime WHERE index=* OR index=_* earliest=-7d by index sourcetype 
|  convert ctime(IngestTime) as IngestTimeHuman 
|  where IngestTime> relative_time(now(),"-24h")

How to Search to show any new logs/indexes added to the environment within a period of time?

lookup

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How to Search to show any new logs/indexes added to the environment within a period of time?

lookup

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine