Solved: Re: how to find the earliest and latest event in a...

hiddenkirby · ‎09-30-2010

I simply looking for the fist event in an index and the last... to determine how long it took to index x data.

any suggestions? i couldn't seem to figure out that query.

ziegfried · ‎09-30-2010

Do you mean the time when the event has been indexed? Then the query would be:

index=<your_index> | stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)

View solution in original post

claudio_manig · ‎02-10-2021

I know thats an old post but i wanted to share a way more efficient solution to get latest timestamp by each index in a "metadata" manor:

| rest /services/data/indexes
| stats max(maxTime) by title

Hop that helps others-

Cheers

khourihan_splun · ‎05-03-2019

Try this
| metadata index=main type=hosts | stats min(firstTime) max(lastTime) by host

joy76 · ‎01-21-2015

look at
Settings > DATA > Indexes menu.
There are earliest and last event time by Index.

ziegfried · ‎09-30-2010

Do you mean the time when the event has been indexed? Then the query would be:

index=<your_index> | stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)

hiddenkirby · ‎09-30-2010

i do have DATATIME_CONFIG = current.

hiddenkirby · ‎09-30-2010

i ended up w/ max(_time) and min(_time) .. convert was very helpful. thank you both.

ziegfried · ‎09-30-2010

_time and _indextime are only equal when you use DATETIME_CONFIG = current in your props config of if no timestamp was detected in the event.

ziegfried · ‎09-30-2010

_indextime is always the time when the event has been index. _time can be a different time, for example when the time found within an event is used

hiddenkirby · ‎09-30-2010

whats the difference between _indextime and _time?

Lowell · ‎09-30-2010

You can look at the index event times using something like this:

| metadata index=main type=hosts | stats min(firstTime) max(lastTime)

Or, to examine individual events, you can compare the _time and _indextime fields:

 index=main | eval lag=_indextime-_time | stats avg(lag) ...

Do either of these help?

damode · ‎11-15-2017

Hi Lowell,

When I try this command, | metadata index=main type=hosts | stats min(firstTime) max(lastTime), all I get is two columns, min(firstTime) max(lastTime) with time in seconds.

Can you please advise where I am getting it wrong ?
Thanks.
Dev

hiddenkirby · ‎09-30-2010

This was helpful.

how to find the earliest and latest event in an index?

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...