Splunk Search

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

esweeney
Splunk Employee
Splunk Employee

Is there a search command for Splunk that will find the oldest event in the index for a host faster than letting a full query run?

Tags (3)

Lowell
Super Champion

This should do the trick:

| metadata index=myindex type=hosts | search host="myhost" | fields + host, firstTime | convert ctime(firstTime)

newbie2tech
Communicator

Any idea,
how do we get the same by indexer? using splunk_server in by clause of stats wouldn't give the information.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The oldest event, or the time of the oldest event? The time is easy:

| metadata type=hosts | stats min(firstTime) as _time, values(host)

Once you have that, you could just take the time and search, or use a subsearch:

[ metadata type=hosts | stats min(firstTime) as _time, values(host) as host | mvexpand host ]

which will come back with all the events with that timestamp.

gkanapathy
Splunk Employee
Splunk Employee

sorry, i guess the question was for a particular host, not any host. well.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...