Hi,
Is there a way to sort the below query based on both firstime and total count . I want to know which sourcetypes having more counts based on the recent firstime.
| metadata type=sourcetypes | eval duration=now()-firstTime | where duration
This tells you sourcetypes which are new in the last week ( 7 days):
| metadata type=sourcetypes
| eval firstAgoSeconds=now()-firstTime
| where firstAgoSeconds < (7 * 24 * 60 * 60)
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(firstTime) ctime(lastTime) ctime(recentTime)
The metadata command is fine if you don't need a completely accurate count. If you are looking for the most active recent sourcetypes, I would probably do something like this:
| tstats count where index=* by sourcetype | sort -5 count
will give you the top 5 sourcetypes, based on the timerange you choose for the search. I find that tstats is more accurate when I am interested in a particular timerange, and it is still dramatically faster than a basic search for this purpose.
nice examples here: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Metadata
hope it helps
I need more detail to understand; maybe a sample mockup of final output, too.