Solved: Is there a fast way to search all indexes to list ...

jwleppert · ‎05-24-2016

Is there a fast way to search all indexes to list just the index name and the time/date of the last event or update?
My searches are taking entirely too long. I tried an 'eventcount' search which runs fast, but it only provides sourcetype names and not the index names.

sjohnson_splunk · ‎05-24-2016

You should be able to use a rest command to get the results:

|rest /services/data/indexes | table title

View solution in original post

splunkton · ‎05-24-2016

Give a shot hope fully it solves your query

index=* | eval latest=now()|table index latest converttime |eval converttime=strftime(latest,"%m/%d/%y %H:%M:%S") |dedup index latest

jwleppert · ‎05-24-2016

That looks to work but it runs too slow. Any query I run starting with Index=* runs too slow
I was hoping something faster using dbinspect or tstats

splunkton · ‎05-24-2016

try this

| tstats latest(_time) as latest by index |eval converttime=strftime(latest,"%m/%d/%y %H:%M:%S")|fields index converttime

ryanoconnor · ‎05-24-2016

This should get you what you need:

index=* 
| stats latest(_time) as latestTime by index
| eval latestTime=strftime(latestTime,"%x %X")

jwleppert · ‎05-24-2016

That looks to work but it runs too slow. Any query I run starting with Index=* runs too slow

ryanoconnor · ‎05-24-2016

This might be faster:

| eventcount summarize=false index=* index=_* 
| dedup index | fields index  | map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\"
| eval index=\"$index$\"" | eval latestTime=strftime(lastTime,"%x %X") | table latestTime index | stats max(latestTime) by index

jwleppert · ‎05-24-2016

Error in 'map': Did not find value for required attribute 'index'.

sjohnson_splunk · ‎05-24-2016

You should be able to use a rest command to get the results:

|rest /services/data/indexes | table title

jwleppert · ‎05-24-2016

|rest /services/data/indexes | table title updated

this gives duplicate index names

richgalloway · ‎05-24-2016

Of course, it does. Your indexes reside on multiple indexers with different update times. If you don't want duplicates you have a couple of options.

 |rest /services/data/indexes | dedup title | table title updated

 |rest /services/data/indexes | stats first(updated) by title

---
If this reply helps you, Karma would be appreciated.

jwleppert · ‎05-24-2016

That runs quick, thx!

jwleppert · ‎05-24-2016

that doesn't give the time/date of the last event

richgalloway · ‎05-24-2016

This does:

|rest /services/data/indexes | table title updated

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎05-24-2016

Does it have to be a query? The Settings->Indexes screen shows the information you seek.

---
If this reply helps you, Karma would be appreciated.

Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Is there a fast way to search all indexes to list just the index names and the date/time of the last event or update?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?