Querying when the last time, an event was seen fro...

msg4sunil · ‎03-31-2022

How to know the last event's time from each of the hosts in the system?. The output can be of the below format?

host1|datetime

host2|datetime

thank you

PickleRick · ‎03-31-2022

Since host is an indexed field you can use

| tstats latest_time by host where index=XXX

msg4sunil · ‎03-31-2022

@PickleRick , sorry, I am a normal user and have access to only specific index. Running the above command is failing.

Error in 'tstats' command: Invalid argument: 'index=indexname

PickleRick · ‎03-31-2022

Try without the whole where condition.

msg4sunil · ‎03-31-2022

see the below error

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments.

PickleRick · ‎04-01-2022

I rarely do the earliest/latest and so on 🙂

Probably max(_time) or latest(_time) will be what you need (they are not the same thing though!). As an excercise, think about the difference between max(_time) and latest(_time) 😉

Querying when the last time, an event was seen from various hosts in the system

other

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!