Splunk Search

How to use dbinspect to monitor a specific index and get the following information?

RonD
Explorer

Hi,

I would like to monitor a specific index and get the following information:
source - name
oldest searchable event by source.

I understand the basics of dbinspect that it will display the startEpoch values and sort it for the earliest value and I can figure out the oldest event using this field and sourceCount only, however I need to identify the source "name" so I can pair the 2: source name and oldest searchable event

OR if there is another command I can use instead of dbinspect that will provide the needed information. Doing stats command in this use case will not work as I will be looking for events that are 1 year old and I favor the dbinspect search time.

Please advise.

Thanks and regards.

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

metadata comes to mind. Try

| metadata type=sources index=_internal

This is provided that the time is of concern. Or do you need to retrieve that very record?

View solution in original post

Tags (1)

RonD
Explorer

Very thankful to this community. I tried both and the metadata is the information that I was looking for. I also tried the tstat command recommendations but when I ran for all time, it only found events that are 3 months old.

Thank you both!

yuanliu
SplunkTrust
SplunkTrust

metadata comes to mind. Try

| metadata type=sources index=_internal

This is provided that the time is of concern. Or do you need to retrieve that very record?

Tags (1)

richgalloway
SplunkTrust
SplunkTrust

Have you tried the tstats command? It's very fast and can get the information you want.

| tstats earliest(_time) as oldest where index=foo by source 
| fieldformat oldest=strftime(oldest,"%Y-%m-%d %H:%M:%S")
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...