Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

esweeney
Splunk Employee
Splunk Employee
โ€Ž06-15-2010 05:25 AM

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

Tags (3)
Reply

Lowell
Super Champion
โ€Ž06-15-2010 01:17 PM

This should do the trick:

| metadata index=myindex type=hosts | search host="myhost" | fields + host, firstTime | convert ctime(firstTime)
Reply

newbie2tech
Communicator
โ€Ž07-24-2017 01:53 PM

Any idea,
how do we get the same by indexer? using splunk_server in by clause of stats wouldn't give the information.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
โ€Ž06-15-2010 01:16 PM

The oldest event, or the time of the oldest event? The time is easy:

| metadata type=hosts | stats min(firstTime) as _time, values(host)

Once you have that, you could just take the time and search, or use a subsearch:

[ metadata type=hosts | stats min(firstTime) as _time, values(host) as host | mvexpand host ]

which will come back with all the events with that timestamp.

Reply

gkanapathy
Splunk Employee
Splunk Employee
โ€Ž06-15-2010 04:30 PM

sorry, i guess the question was for a particular host, not any host. well.

0 Karma
Reply