- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Oldest event from source or sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a distributed index model and I would like to use the search head to find out what the oldest event is per source or sourcetype.
I tried using the metadata command but nothing comes up, do I have to do this search on the indexer? Is there a way to search this just on the search head?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
suhprano,
The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:
| metadata type=sources index=*
Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).
Update:
Based on your comment below make sure you are using valid types. Valid types are:
type=sources
type=hosts
type=sourcetypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wanted the timestamp of the oldest event to be in human interpretable form, so I added a strftime call. For me, to find the oldest record from my vpn log source, I used
| metadata type=sources index=* | where source="/log/sources/myvpn/myvpn.log" | eval str_firstTime=strftime(firstTime,"%Y-%m-%d %H:%M")
That gave me the oldest event for that particular source in a format that was easy to read
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
suhprano,
The "| metadata" command will distribute to all servers in your distributed search pool. The reason you may not be getting results back could be caused by your data being in non-default indexes. Have you tried:
| metadata type=sources index=*
Your role should also have the get_metadata capability (get_metadata is a shipped capability of all roles).
Update:
Based on your comment below make sure you are using valid types. Valid types are:
type=sources
type=hosts
type=sourcetypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info, but it appears that it only retrieves one epoch time for all source/sourcetypes. Is there a way to find the oldest event regarding a particular sourcetype?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search looks good except for type=sourcestypes. Should either be type=sources or type=sourcetypes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I'm still not seeing it. I'm also trying on the actual indexes and nothing comes up. This is the search I'm running:
| metadata type=sourcestypes index=*| stats min(firstTime) as firstTime
Could it be the (firstTime) field? I don't know if that's the right syntax or parameter I should be passing.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
