Splunk Search

How to find earliest event based on Event code for once server?

singhg
Explorer

Hi,

I am trging to find the first time the event ID 4656 was indexed for particular server.

the below search gives me only the first time any event was indexed for this server:
| metadata index=main type=hosts | search host="Name" | fields + host, firstTime | convert ctime(firstTime)

Do you know a command to do that?

Tags (1)
0 Karma

singhg
Explorer

Thanks cphair for your reply but when I run this i get this error:

Error in 'stats' command: The argument 'earliest(_time)' is invalid.

0 Karma

cphair
Builder

@singhg, are you on an earlier version of Splunk? It looks like the earliest function was introduced in 4.3. You can try last(_time) instead of earliest(_time), which looks at the time the event was indexed rather than the actual timestamp and so may be a bit less accurate.

0 Karma

cphair
Builder

For a known host foo:

index=main EventCode=4656 host=foo | stats earliest(_time) as Earliest | eval FirstSeen=strftime(Earliest,"%+") | table FirstSeen

To find the first time the event occurred on each host in the index:

index=main EventCode=4656 | stats earliest(_time) as Earliest by host | eval FirstSeen=strftime(Earliest,"%+") | table host,FirstSeen

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...