Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get an output containing all host details along with their last update times?

Sangeeta_1
Explorer
‎09-25-2024 12:52 AM

How to get an output containing all host details of all time along with their last update times? 

Below search is taking huge time, how to get this optimized for faster search -

index=*| fields host, _time 
| stats max(_time) as last_update_time by host
| eval t=now()
| eval days_since_last_update=tonumber(strftime((t-last_update_time),"%d"))-1 
| where days_since_last_update>30
| eval last_update_time=strftime(last_update_time, "%Y-%m-%d %H:%M:%S") 
| table last_update_time host days_since_last_update

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-25-2024 09:11 PM

This should be fast enough

| tstats max(_time) AS _time WHERE index=* BY host
| where relative_time(now(), "-30d") > _time
| reltime
| rename reltime as since_last_update
| eval last_update_time = strftime(_time, "%F %T")
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 05:48 AM

Hi @Sangeeta_1 ,

please try this:

| tstats count latest(_time) AS _time WHERE index=* BY host
| table host -time

Ciao.

Giuseppe

Reply

Sangeeta_1
Explorer
‎09-25-2024 08:14 AM

Thanks @gcusello for the help. But I am getting future dates like below, but the search was for the last time when I am getting any event w.r.t all the host. I have selected date range as all time. Can you please suggest here?

2031-12-11 08:40:08
2025-01-11 09:05:56
2024-10-30 08:12:49
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 08:37 AM

Hi @Sangeeta_1 ,

with my search you should have the latest timestamp for each host, if you have future dates, probably you have some event not correctly parsed because it has future timestamps.

Ciao.

Giuseppe

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2024 01:09 AM 
| metadata type=hosts index=*
0 Karma
Reply

Sangeeta_1
Explorer
‎09-25-2024 08:15 AM

Hi @ITWhisperer  Thanks for your comment, but metadata contains limited to a certain time in history, like I can get the data for only last 30 days or so.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2024 11:49 AM

Does using alltime help?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...