I would like to see the list of all the Indexes along with the Earliest and Latest Time stamp for the most oldest log and most earliest log stored in that index.
I used following qeuery but i take to much time to provide the resluts, is their any other method to see this information as quick as possible.
index=* | stats first(_time) as latest last(_time) as earliest by index | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(earliest) ctime(latest)
You could probably find a metadata search to do what you want:
| metadata type=sourcetypes index=main| stats min(firstTime) AS begin max(lastTime) AS end | eval begin = strftime(begin, "%Y-%m-%d %H:%M:%S") | eval end = strftime(end, "%Y-%m-%d %H:%M:%S")
For more information, see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata
Hope this helps,
Kristian