How can you list all indexes and the time of their first indexed event? metadata seems to only show you the hosts, sources or sourcetypes. I can list all indexes with | eventcount summarize=false index=* | dedup index | fields index . Also tried something like this but with no success:
| eventcount summarize=false index=* index=_* | dedup index | fields index
| map maxsearches=100 search="|metadata type=sourcetypes index=\"$index$\" | eval index=\"$index$\" | stats min(firstTime) as firstTime by sourcetype
| convert ctime(firstTime) "
| fields index sourcetype firstTime
Any ideas?
... View more