Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Oldest event from source or sourcetype

suhprano
Path Finder
‎05-05-2011 10:34 AM

I have a distributed index model and I would like to use the search head to find out what the oldest event is per source or sourcetype.

I tried using the metadata command but nothing comes up, do I have to do this search on the indexer? Is there a way to search this just on the search head?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-05-2011 02:04 PM

suhprano,

The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:

| metadata type=sources index=*

Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).

Update:
Based on your comment below make sure you are using valid types. Valid types are:

type=sources
type=hosts
type=sourcetypes

View solution in original post

Reply
Solved! Jump to solution

usethedata
Path Finder
‎09-21-2013 06:10 PM

I wanted the timestamp of the oldest event to be in human interpretable form, so I added a strftime call. For me, to find the oldest record from my vpn log source, I used 

| metadata type=sources index=* | where source="/log/sources/myvpn/myvpn.log" | eval str_firstTime=strftime(firstTime,"%Y-%m-%d %H:%M")

That gave me the oldest event for that particular source in a format that was easy to read

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-05-2011 02:04 PM

suhprano,

The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:

| metadata type=sources index=*

Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).

Update:
Based on your comment below make sure you are using valid types. Valid types are:

type=sources
type=hosts
type=sourcetypes
Reply
Solved! Jump to solution

suhprano
Path Finder
‎05-06-2011 10:35 AM

Thanks for the info, but it appears that it only retrieves one epoch time for all source/sourcetypes. Is there a way to find the oldest event regarding a particular sourcetype?

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎05-05-2011 04:13 PM

Your search looks good except for type=sourcestypes. Should either be type=sources or type=sourcetypes

0 Karma
Reply
Solved! Jump to solution

suhprano
Path Finder
‎05-05-2011 02:13 PM

Sorry, I'm still not seeing it. I'm also trying on the actual indexes and nothing comes up. This is the search I'm running:

| metadata type=sourcestypes index=*| stats min(firstTime) as firstTime

Could it be the (firstTime) field? I don't know if that's the right syntax or parameter I should be passing.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...