×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Nealium
New Member
Member since: ‎11-20-2025
‎11-20-2025
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-20-2025
Topics I've Started
No posts to display.
View All

Re: Is there a way to determine the install date f...

by in Splunk Search
‎11-20-2025 07:10 AM
‎11-20-2025 07:10 AM
For my instance, though there was no official "install date" recorded, you can use the first instances of splunkd logs to be able to estimate when a machine was installed with a splunk agent, I used the following: | tstats min(_time) as firsttime, count where index=_internal AND source=*splunkd* by host | eval nowtime=now()-604800 | where firsttime>nowtime Which essentially says go back to and find the earliest instance of a log, if it is within the last week then it is an assumed new machine and we will record it, otherwise remove it from the list. Is this method perfect? no but it will get you a ballpark of machines onboarded in the past week. Best solution would probably be to create a saved search to record every new instance of a machine in the past 24 hours and append it to a lookup. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-20-2025 06:56 AM