I need a list of indexes that are newly created in the last 30 days and need the creation date of those indexes.
I have used this query :
| rest /services/data/indexes
| search totalEventCount > 0
| eval now=strftime(now(), "%Y-%m-%d")
| stats first(minTime) as first_date first(now) as now first(currentDBSizeMB) as currentDBSizeMB by title
| eval comparison_date=now()-30*86400 | sort - first_date | eval first_date=strptime(first_date,"%Y-%m-%dT%H:%M:%S.%6N") | eval status=if(first_date
You could maintain such a list in a lookup, amend the lookup with a scheduled search using that REST call every day to add a creation date to a first-seen lookup, and then use that lookup to filter for last 30 days or whatever time range you need.
https://www.splunk.com/en_us/blog/tips-and-tricks/maintaining-state-of-the-union.html
I believe this problem has wider ramifications. Please have a look at Splunk Ideas, for a proposal to integrate Splunk with Source Code Control: https://ideas.splunk.com/ideas/E-I-7
This would address this problem and many others. SCC would maintain all your modification dates and revision history. You can furthermore splunk a git repo as well as the git metadata, to report both the available facts and the current code.
Because Splunk supports so many disparate ways to update your configuration--which is code when it comes right down to it--this has always been a problem. In the field there are many ingenious and occasionally really scary home-made solutions, which you have to have, or mature Splunk installations sooner or later become unmanageable.
If you support the notion of source code control integration for Splunk, please vote for the idea so it gets more traction.
Charles
You could maintain such a list in a lookup, amend the lookup with a scheduled search using that REST call every day to add a creation date to a first-seen lookup, and then use that lookup to filter for last 30 days or whatever time range you need.
https://www.splunk.com/en_us/blog/tips-and-tricks/maintaining-state-of-the-union.html
What about this search query?
index=_audit action=indexes_edit operation=create
This should only tell you about indexes created via API / UI, not about indexes created via conf files (most common case in real-world environments with a separate indexing tier). Those don't have an easily accessible creation date.