Index Earliest and Latest events

mrccasi · ‎11-04-2021

Hi,

I currently have this search that gets the earliest and latest timestamp of index. But since I am running this search in All time Time range, it is very slow.

| tstats earliest(_time) as earliestTime latest(_time) as latestTime where index=* by index
| eval strfearliestTime=strftime(earliestTime,"%Y/%m/%d %H:%M:%S")
| eval strflatestTime=strftime(latestTime,"%Y/%m/%d %H:%M:%S")

Do you have any other options on getting this information? I also tried using | rest command. But I am not getting the minTime and maxTime I saw on queries that others are using.

| rest /services/data/indexes
| eval indexSize=tostring(round(currentDBSizeMB/1024,2), "commas"), events=tostring(totalEventCount, "commas"), daysRetention=frozenTimePeriodInSecs/60/60/24
| foreach *Time
[| eval <<FIELD>>=strptime(<<FIELD>>,"%Y-%m-%dT%H:%M:%S%Z"), <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ]
| fillnull value="n/a"
| table title, splunk_server, indexSize, daysRetention, events, maxTime, minTime
| rename title as "Index Name", splunk_server as "Splunk Server" indexSize as "Current Size on Disk (GB)", daysRetention as "Retention Period in Days", events as "Count of events", maxTime as "Most Recent Event", minTime as "Earliest Event"

Can you please suggest other options? Thank you!

isoutamo · ‎11-04-2021

Hi

based on MC's query this will do it

| rest splunk_server=<your idx servers> /services/data/indexes 
  | join type=outer title [
    | rest splunk_server=<your idx servers> /services/data/indexes-extended 
  ]
| fields title minTime maxTime

r. Ismo

mrccasi · ‎11-08-2021

Hi,

For some reason our rest command really don't have values in mix and max time. I have used dbinspect instead to get the earliest and latest events per index.

Thank you.

Index Earliest and Latest events

tstats

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies