Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the metadata command showing the wrong firstTime?

david_halbeisen
New Member
‎07-30-2015 10:02 AM 
| metadata type=sourcetypes index=*

My time range picker is set to today (Today is July 30, 2015). I analyzed my data and I know for certain that ALL of my sourcetypes have data prior to firstTime. Why is this field reporting wrong information? Actually I have data that is 4 years old for most of my sourcetypes, but the aforementioned search is giving me early July 2015 dates. Thank you for your assistance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sduff_splunk
Splunk Employee
Splunk Employee
‎08-02-2015 04:19 PM

The metadata command is not designed to honour the time picker. If you need to look at the metadata for a particular time range, you should use the metasearch command (http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Metasearch)

| metasearch index=* | stats first(_time) as earliest_time, last(_time) as latest_time by sourcetype

Albiet, this is usually slower than the metadata command

View solution in original post

Reply
Solved! Jump to solution
Solution

sduff_splunk
Splunk Employee
Splunk Employee
‎08-02-2015 04:19 PM

The metadata command is not designed to honour the time picker. If you need to look at the metadata for a particular time range, you should use the metasearch command (http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Metasearch)

| metasearch index=* | stats first(_time) as earliest_time, last(_time) as latest_time by sourcetype

Albiet, this is usually slower than the metadata command

Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎10-26-2016 06:20 AM

Hi

Could you please assist to write a query to find out the newly added host for past 7 days? .

Thanks!!

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...