| metadata type=sourcetypes index=*
My time range picker is set to today (Today is July 30, 2015). I analyzed my data and I know for certain that ALL of my sourcetypes have data prior to firstTime. Why is this field reporting wrong information? Actually I have data that is 4 years old for most of my sourcetypes, but the aforementioned search is giving me early July 2015 dates. Thank you for your assistance.
The metadata command is not designed to honour the time picker. If you need to look at the metadata for a particular time range, you should use the metasearch command (http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Metasearch)
| metasearch index=* | stats first(_time) as earliest_time, last(_time) as latest_time by sourcetype
Albiet, this is usually slower than the metadata command
The metadata command is not designed to honour the time picker. If you need to look at the metadata for a particular time range, you should use the metasearch command (http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Metasearch)
| metasearch index=* | stats first(_time) as earliest_time, last(_time) as latest_time by sourcetype
Albiet, this is usually slower than the metadata command
Hi
Could you please assist to write a query to find out the newly added host for past 7 days? .
Thanks!!