Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to find the earliest and latest event in an index?

hiddenkirby
Contributor
‎09-30-2010 07:21 PM

I simply looking for the fist event in an index and the last... to determine how long it took to index x data.

any suggestions? i couldn't seem to figure out that query.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎09-30-2010 07:25 PM

Do you mean the time when the event has been indexed? Then the query would be:

index=<your_index> | stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)

View solution in original post

Reply
Solved! Jump to solution

claudio_manig
Communicator
‎02-10-2021 08:13 AM

I know thats an old post but i wanted to share a way more efficient solution to get latest timestamp by each index in a "metadata" manor:

| rest /services/data/indexes
| stats max(maxTime) by title

 

Hop that helps others-

Cheers 

Reply
Solved! Jump to solution

khourihan_splun
Splunk Employee
Splunk Employee
‎05-03-2019 02:28 PM

Try this
| metadata index=main type=hosts | stats min(firstTime) max(lastTime) by host

0 Karma
Reply
Solved! Jump to solution

joy76
Path Finder
‎01-21-2015 12:36 AM

look at
Settings > DATA > Indexes menu.
There are earliest and last event time by Index.

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎09-30-2010 07:25 PM

Do you mean the time when the event has been indexed? Then the query would be:

index=<your_index> | stats min(_indextime) as min_indextime max(_indextime) as max_indextime | convert ctime(min_indextime) ctime(max_indextime)
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-30-2010 07:49 PM

i do have DATATIME_CONFIG = current.

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-30-2010 07:49 PM

i ended up w/ max(_time) and min(_time) .. convert was very helpful. thank you both.

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎09-30-2010 07:43 PM

_time and _indextime are only equal when you use DATETIME_CONFIG = current in your props config of if no timestamp was detected in the event.

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎09-30-2010 07:42 PM

_indextime is always the time when the event has been index. _time can be a different time, for example when the time found within an event is used

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-30-2010 07:40 PM

whats the difference between _indextime and _time?

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎09-30-2010 07:25 PM

You can look at the index event times using something like this:

| metadata index=main type=hosts | stats min(firstTime) max(lastTime)

Or, to examine individual events, you can compare the _time and _indextime fields:

 index=main | eval lag=_indextime-_time | stats avg(lag) ...

Do either of these help?

Reply
Solved! Jump to solution

damode
Motivator
‎11-15-2017 04:07 PM

Hi Lowell,

When I try this command, | metadata index=main type=hosts | stats min(firstTime) max(lastTime), all I get is two columns, min(firstTime) max(lastTime) with time in seconds.

Can you please advise where I am getting it wrong ?
Thanks.
Dev

0 Karma
Reply
Solved! Jump to solution

hiddenkirby
Contributor
‎09-30-2010 07:48 PM

This was helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...