Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

index and the sourcetypes in which the hosts have collected events, with the date of the first and last event on the spe

jtabilas
Loves-to-Learn Everything
‎07-07-2023 12:49 AM

on index=_internal I have to create two searches one on (report ) and one connected to the dashboard where the index and the sourcetypes have collected events, with the date of the first and last event on the specific sourcetypes, the searches must take into account the data already present in the lookup itself. With the search, we don't have to overwrite the lookup every time, making the very purpose of its creation fail, since the date of the first event is lost as soon as the searchable data go beyond the retention of the indexes. also with 2 lookup datasets, an old one we have, a new one we need to create. check between the old and the new. if the old recorded data is old, it is kept if the new data is among the oldest, it will be replaced.

 

below the oldlookup search /// // index="_internal" 
| stats count, earliest(_time) as first, latest(_time) as last by sourcetype, index, host 
| eval first = strftime(first, "%Y-%m-%d %H:%M:%S"), last = strftime(last, "%Y-%m-%d %H:%M:%S") 
| table host, index, sourcetype, first, last 
| rename first as "first event", last as "last event" 
| sort - "first event" 
| outputlookup old
.csv

 

Labels (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-07-2023 02:12 AM

Hi

unfortunately I didn't get what is your question?

Anyhow you should change two first lines on your query to improve its performance. Try this

| tstats count, earliest(_time) as first, latest(_time) as last where index=_internal  by sourcetype, index, host

instead of "index... | stats..."

There are lot of different apps which you could use to follow up if nodes are sending events or not on splunk base. One which could help you is TrackMe. Maybe not the eases to setup but it's quite capable for monitoring source hosts and individual logs.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...