Re: Is there a search command for Splunk that will...

esweeney · ‎06-15-2010

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

Lowell · ‎06-15-2010

This should do the trick:

| metadata index=myindex type=hosts | search host="myhost" | fields + host, firstTime | convert ctime(firstTime)

newbie2tech · ‎07-24-2017

Any idea,
how do we get the same by indexer? using splunk_server in by clause of stats wouldn't give the information.

gkanapathy · ‎06-15-2010

The oldest event, or the time of the oldest event? The time is easy:

| metadata type=hosts | stats min(firstTime) as _time, values(host)

Once you have that, you could just take the time and search, or use a subsearch:

[ metadata type=hosts | stats min(firstTime) as _time, values(host) as host | mvexpand host ]

which will come back with all the events with that timestamp.

gkanapathy · ‎06-15-2010

sorry, i guess the question was for a particular host, not any host. well.

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?