Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

index data

Siddharthnegi
Contributor
‎06-20-2024 10:58 PM

Hello , How can I know the start time and the latest time  coming of data of all index .
meaning that when was the first time data came in that index and when is the latest time data have came in that index.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-20-2024 11:17 PM

Do you really want to know the times in the entire index?  If so, tstats is usually the way to go.

| tstats min(_time) as start max(_time) as end where index=myindex
| fieldformat start = strftime(start, "%F %T")
| fieldformat end = strftime(end, "%F %T")

Something like that.

Reply

Siddharthnegi
Contributor
‎06-20-2024 11:24 PM

Thank You for your reply , but I want this information for all indexes  at once with their respective names is that possible?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-21-2024 01:30 AM

This is where you need to be extra diligent in problem statement.  Yes, it is doable but volunteers are not mind readers.

| tstats min(_time) as start max(_time) as end where index=* by index
| fieldformat start = strftime(start, "%F %T")
| fieldformat end = strftime(end, "%F %T")

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...