Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Oldest event from source or sourcetype

suhprano
Path Finder
‎05-05-2011 10:34 AM

I have a distributed index model and I would like to use the search head to find out what the oldest event is per source or sourcetype.

I tried using the metadata command but nothing comes up, do I have to do this search on the indexer? Is there a way to search this just on the search head?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-05-2011 02:04 PM

suhprano,

The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:

| metadata type=sources index=*

Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).

Update:
Based on your comment below make sure you are using valid types. Valid types are:

type=sources
type=hosts
type=sourcetypes

View solution in original post

Reply
Solved! Jump to solution

usethedata
Path Finder
‎09-21-2013 06:10 PM

I wanted the timestamp of the oldest event to be in human interpretable form, so I added a strftime call. For me, to find the oldest record from my vpn log source, I used 

| metadata type=sources index=* | where source="/log/sources/myvpn/myvpn.log" | eval str_firstTime=strftime(firstTime,"%Y-%m-%d %H:%M")

That gave me the oldest event for that particular source in a format that was easy to read

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-05-2011 02:04 PM

suhprano,

The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:

| metadata type=sources index=*

Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).

Update:
Based on your comment below make sure you are using valid types. Valid types are:

type=sources
type=hosts
type=sourcetypes
Reply
Solved! Jump to solution

suhprano
Path Finder
‎05-06-2011 10:35 AM

Thanks for the info, but it appears that it only retrieves one epoch time for all source/sourcetypes. Is there a way to find the oldest event regarding a particular sourcetype?

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎05-05-2011 04:13 PM

Your search looks good except for type=sourcestypes. Should either be type=sources or type=sourcetypes

0 Karma
Reply
Solved! Jump to solution

suhprano
Path Finder
‎05-05-2011 02:13 PM

Sorry, I'm still not seeing it. I'm also trying on the actual indexes and nothing comes up. This is the search I'm running:

| metadata type=sourcestypes index=*| stats min(firstTime) as firstTime

Could it be the (firstTime) field? I don't know if that's the right syntax or parameter I should be passing.

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...