Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

index and the sourcetypes in which the hosts have collected events, with the date of the first and last event on the spe

jtabilas
Loves-to-Learn Everything
‎07-07-2023 12:49 AM

on index=_internal I have to create two searches one on (report ) and one connected to the dashboard where the index and the sourcetypes have collected events, with the date of the first and last event on the specific sourcetypes, the searches must take into account the data already present in the lookup itself. With the search, we don't have to overwrite the lookup every time, making the very purpose of its creation fail, since the date of the first event is lost as soon as the searchable data go beyond the retention of the indexes. also with 2 lookup datasets, an old one we have, a new one we need to create. check between the old and the new. if the old recorded data is old, it is kept if the new data is among the oldest, it will be replaced.

 

below the oldlookup search /// // index="_internal" 
| stats count, earliest(_time) as first, latest(_time) as last by sourcetype, index, host 
| eval first = strftime(first, "%Y-%m-%d %H:%M:%S"), last = strftime(last, "%Y-%m-%d %H:%M:%S") 
| table host, index, sourcetype, first, last 
| rename first as "first event", last as "last event" 
| sort - "first event" 
| outputlookup old
.csv

 

Labels (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-07-2023 02:12 AM

Hi

unfortunately I didn't get what is your question?

Anyhow you should change two first lines on your query to improve its performance. Try this

| tstats count, earliest(_time) as first, latest(_time) as last where index=_internal  by sourcetype, index, host

instead of "index... | stats..."

There are lot of different apps which you could use to follow up if nodes are sending events or not on splunk base. One which could help you is TrackMe. Maybe not the eases to setup but it's quite capable for monitoring source hosts and individual logs.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...