Hi guys,
I should retrieve installation date and some other splunk server informations directly from a standard search. Is it possible?
Hi RiccardoV,
if there wasn't done any splunk clean all
and the setup is no longer then 6 years ago, you could search the index=_audit
and see when you have the earliest events. That should give you at least some date and time. But you still cannot tell, if this is the real installation date or just a date after the last clean all
.
index=_internal
will keep its event by default only for 30 days.
hope this helps ...
cheers, MuS
On Unix:
1. rpm -qa| grep splunk
2. rpm -qi splunk-6.0.4-207768.x86_64 (Installed, other details.. )
I need to take that data INSIDE splunk
In Web UI -> indexes,
look for earliest time.
Hope it can help u..
And also, it perfectly normal to set up a Splunk server and then import archived log files (which could easily be several years old), so looking at the earliest timestamp of an event is not a 100% certain solution.
/k
I already answered this question, but here would be the next answer to the next question. Remember this is also only valid if there was no splunk clean all
done. So here would be the equal search to the UI approach:
| rest /services/data/indexes | search title=main | table title minTime splunk_server
In this example uses only index=main and bear in mind, that on a search head you will get results form all search peers were as in the UI you will get even on a search head only the local index report.
cheers, MuS
I need to retrieve the value from a search
Hi RiccardoV,
if there wasn't done any splunk clean all
and the setup is no longer then 6 years ago, you could search the index=_audit
and see when you have the earliest events. That should give you at least some date and time. But you still cannot tell, if this is the real installation date or just a date after the last clean all
.
index=_internal
will keep its event by default only for 30 days.
hope this helps ...
cheers, MuS
thanks @MuS, it helps very much! I hoped in a different (and most "unique" solution) 🙂