Re: Querying when the last time, an event was seen...

msg4sunil · ‎03-31-2022

How to know the last event's time from each of the hosts in the system?. The output can be of the below format?

host1|datetime

host2|datetime

thank you

PickleRick · ‎03-31-2022

Since host is an indexed field you can use

| tstats latest_time by host where index=XXX

msg4sunil · ‎03-31-2022

@PickleRick , sorry, I am a normal user and have access to only specific index. Running the above command is failing.

Error in 'tstats' command: Invalid argument: 'index=indexname

PickleRick · ‎03-31-2022

Try without the whole where condition.

msg4sunil · ‎03-31-2022

see the below error

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments.

PickleRick · ‎04-01-2022

I rarely do the earliest/latest and so on 🙂

Probably max(_time) or latest(_time) will be what you need (they are not the same thing though!). As an excercise, think about the difference between max(_time) and latest(_time) 😉

Querying when the last time, an event was seen from various hosts in the system

other

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...