Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get an output containing all host details along with their last update times?

Sangeeta_1
Explorer
‎09-25-2024 12:52 AM

How to get an output containing all host details of all time along with their last update times? 

Below search is taking huge time, how to get this optimized for faster search -

index=*| fields host, _time 
| stats max(_time) as last_update_time by host
| eval t=now()
| eval days_since_last_update=tonumber(strftime((t-last_update_time),"%d"))-1 
| where days_since_last_update>30
| eval last_update_time=strftime(last_update_time, "%Y-%m-%d %H:%M:%S") 
| table last_update_time host days_since_last_update

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-25-2024 09:11 PM

This should be fast enough

| tstats max(_time) AS _time WHERE index=* BY host
| where relative_time(now(), "-30d") > _time
| reltime
| rename reltime as since_last_update
| eval last_update_time = strftime(_time, "%F %T")
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 05:48 AM

Hi @Sangeeta_1 ,

please try this:

| tstats count latest(_time) AS _time WHERE index=* BY host
| table host -time

Ciao.

Giuseppe

Reply

Sangeeta_1
Explorer
‎09-25-2024 08:14 AM

Thanks @gcusello for the help. But I am getting future dates like below, but the search was for the last time when I am getting any event w.r.t all the host. I have selected date range as all time. Can you please suggest here?

2031-12-11 08:40:08
2025-01-11 09:05:56
2024-10-30 08:12:49
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-25-2024 08:37 AM

Hi @Sangeeta_1 ,

with my search you should have the latest timestamp for each host, if you have future dates, probably you have some event not correctly parsed because it has future timestamps.

Ciao.

Giuseppe

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2024 01:09 AM 
| metadata type=hosts index=*
0 Karma
Reply

Sangeeta_1
Explorer
‎09-25-2024 08:15 AM

Hi @ITWhisperer  Thanks for your comment, but metadata contains limited to a certain time in history, like I can get the data for only last 30 days or so.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-25-2024 11:49 AM

Does using alltime help?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
li.common.scroll-to.top