Getting Data In

Earliest event in a sourcetype

mcm10285
Communicator

Is there a way to know the earliest event of a specific sourcetype and if the actual event can be viewed for validation?

I tried the following but it returned an epoch time (earliest and latest) for different sourcetypes which I cannot validate by seeing the actual event.

| metadata type=sourcetypes sourcetype=proofpoint | stats min(firstTime) as firstTime
Tags (2)
0 Karma

justinatpnnl
Communicator

You could use the metadata command as a subsearch, getting the firstTime as the latest time that Splunk should look at:

sourcetype=proofpoint 
    [| metadata type=sourcetypes 
    | search sourcetype=proofpoint 
    | stats min(firstTime) as latest by sourcetype 
    | eval latest=latest+1] 
| stats earliest(_time) as _time, earliest(_raw) as event by sourcetype

I tried this on a few of my sourcetypes and it seemed to do the trick. A couple of notes:

  1. Set your timepicker to "All Time"
  2. By setting the minimum firstTime to latest in the subsearch, we are overriding the timepicker to use to search for anything older than the minimum firstTime we found.
  3. I added one to the latest time in the subsearch because Splunk translates latest=timestamp as _time

eckolp2003
Path Finder

Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:

https://splunkbase.splunk.com/app/3727/#/details

Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.

0 Karma

sowings
Splunk Employee
Splunk Employee

The metadata search command won't show you events, just the "meta" data (hence the name) in the system catalog. If you want to see events of a certain sourcetype, you could just search for those:

search sourcetype=foo

To find the chronological first of these, you could try:

search sourcetype=foo | tail

(remembering that Splunk returns newest events first, and oldest events last).

0 Karma

MarioM
Motivator

do you mean you want a human readable date/time ? if yes add this to your search:

| convert ctime(firstTime)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...