Splunk Search

How to use dbinspect to monitor a specific index and get the following information?

RonD
Explorer

Hi,

I would like to monitor a specific index and get the following information:
source - name
oldest searchable event by source.

I understand the basics of dbinspect that it will display the startEpoch values and sort it for the earliest value and I can figure out the oldest event using this field and sourceCount only, however I need to identify the source "name" so I can pair the 2: source name and oldest searchable event

OR if there is another command I can use instead of dbinspect that will provide the needed information. Doing stats command in this use case will not work as I will be looking for events that are 1 year old and I favor the dbinspect search time.

Please advise.

Thanks and regards.

Labels (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

metadata comes to mind. Try

| metadata type=sources index=_internal

This is provided that the time is of concern. Or do you need to retrieve that very record?

View solution in original post

Tags (1)

RonD
Explorer

Very thankful to this community. I tried both and the metadata is the information that I was looking for. I also tried the tstat command recommendations but when I ran for all time, it only found events that are 3 months old.

Thank you both!

yuanliu
SplunkTrust
SplunkTrust

metadata comes to mind. Try

| metadata type=sources index=_internal

This is provided that the time is of concern. Or do you need to retrieve that very record?

Tags (1)

richgalloway
SplunkTrust
SplunkTrust

Have you tried the tstats command? It's very fast and can get the information you want.

| tstats earliest(_time) as oldest where index=foo by source 
| fieldformat oldest=strftime(oldest,"%Y-%m-%d %H:%M:%S")
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...