Splunk Search

How to determine the date range of events in an index?

tkrpata5588
New Member

I am trying to figure out something that I think should be fairly simple: given an index, what is the date/time range of the events in the index? In other words, what range of time is spanned by the oldest event to the newest event?

I tried to find an answer on this, but the closest I could get was to use "metadata" which only gives me any results at all if I specify "index=*". If I give it a specific index name, there are no results.

Tags (3)
0 Karma

gekoner
Communicator

If you go into Manager > Indexes. You should get an output of each of your indexes that has both a Earliest event and a Latest event column. I think that might get you what you need.

gekoner
Communicator

If you have an index distributed across multiple indexers then this will make a difference.

The only thing I can think of is to use a search like this.

(| metadata index=main type=hosts splunk_server=local | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time) ) OR (| metadata index=main type=hosts splunk_server=remote | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time) )

*This assumes you have data in the index. I.e if you search the index using the last 24 hours, you see results returned.

0 Karma

tkrpata5588
New Member

I am geting "N/A" under both those columns for the indexes I care about. Is it potentially because I have a separate search head and distributed indexers?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...