Splunk Search
Highlighted

How to calculate age of a file in Splunk in a search?

Communicator

Hi,

Could somebody tell me a simple way to calculate age of a file in Splunk via search?

Thanks
Sunny

Tags (4)
0 Karma
Highlighted

Re: How to calculate age of a file in Splunk in a search?

Path Finder

You can use the dbinspect command

|dbinspect index=nameofyour_index state=warm

for more information take a look at the dbinspect command.

Highlighted

Re: How to calculate age of a file in Splunk in a search?

Communicator

Hi,

Thanks for the reply but i am doing something like this.. Is giving the result but not exact. Below is the given query -

| metadata type=sources index=peppol | eval age=now()-recentTime | where age>1440/60

I want to calculate the age of file in hours where Splunk shows the file which is older than 24 hrs.

Thanks
Sunny

0 Karma
Highlighted

Re: How to calculate age of a file in Splunk in a search?

Path Finder

as per my understanding the age of the file older than 24 and the age of the files in hours is our requirement you can use this query

| metadata type=sources index=main | eval age=now()-recentTime | eval age=(age/3600)|where age>86400/3600

0 Karma
Highlighted

Re: How to calculate age of a file in Splunk in a search?

Communicator

I have run your query .. it is giving result like given below -

age firstTime lastTime recentTime source totalCount type

691.65 1432615825 1432711546 1437484002 File path 206850 sources
2012.62 1432615825 1432711546 1432728536 File path 206850 sources

Now I want to clear few things here i.e. my doubts that age still it is not showing properly as you can see that it is showing 691 and 2012 respectively and my logs are hardly 3-4 days old and what this columns means "firstTime" , "lastTime" and "recentTimes" ? What does these columns implies here?

Thanks
Sunny

0 Karma
Highlighted

Re: How to calculate age of a file in Splunk in a search?

Path Finder

here:
firstTime is the timestamp for the first time that the indexer saw an event from this host.
lastTime is the timestamp for the last time that the indexer saw an event from this host.
recentTime is the indextime for the most recent time that the index saw an event from this host. In other words, this is the time of the last update.

691 and 2012 are the hrs

0 Karma