Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

esweeney
Splunk Employee
Splunk Employee
‎06-15-2010 05:25 AM

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

Tags (3)
Reply

Lowell
Super Champion
‎06-15-2010 01:17 PM

This should do the trick:

| metadata index=myindex type=hosts | search host="myhost" | fields + host, firstTime | convert ctime(firstTime)
Reply

newbie2tech
Communicator
‎07-24-2017 01:53 PM

Any idea,
how do we get the same by indexer? using splunk_server in by clause of stats wouldn't give the information.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2010 01:16 PM

The oldest event, or the time of the oldest event? The time is easy:

| metadata type=hosts | stats min(firstTime) as _time, values(host)

Once you have that, you could just take the time and search, or use a subsearch:

[ metadata type=hosts | stats min(firstTime) as _time, values(host) as host | mvexpand host ]

which will come back with all the events with that timestamp.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-15-2010 04:30 PM

sorry, i guess the question was for a particular host, not any host. well.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top