- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to determine the date range of events in an index?
I am trying to figure out something that I think should be fairly simple: given an index, what is the date/time range of the events in the index? In other words, what range of time is spanned by the oldest event to the newest event?
I tried to find an answer on this, but the closest I could get was to use "metadata" which only gives me any results at all if I specify "index=*". If I give it a specific index name, there are no results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you go into Manager > Indexes. You should get an output of each of your indexes that has both a Earliest event and a Latest event column. I think that might get you what you need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have an index distributed across multiple indexers then this will make a difference.
The only thing I can think of is to use a search like this.
(| metadata index=main type=hosts splunk_server=local | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time) ) OR (| metadata index=main type=hosts splunk_server=remote | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time) )
*This assumes you have data in the index. I.e if you search the index using the last 24 hours, you see results returned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am geting "N/A" under both those columns for the indexes I care about. Is it potentially because I have a separate search head and distributed indexers?
