Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get the 10 oldest events of a search first and quickly?

daniel333
Builder
‎02-24-2017 09:35 AM

All,

Any idea how I get the 10 oldest events from the search below? I need it to validate that we have 90 days of retention for an audit. Seems like I should be able to go a head 10. Seems to be there should be a faster way of doing this rather than just using the head/tail functions?

index=* host=*dcs* sourcetype="WinEventLog:Security"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎02-24-2017 09:49 AM

Hi daniel333, tstats looks like a good use here. For instance:

| tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" | convert ctime(earliestTime)

Run it over 90 or more days to get the minimum value for the events that match that search.

You could get a more informative look on retention by splitting by host, for instance:

    | tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" by host | convert ctime(earliestTime)

To get the raw events themselves, I'd just use a custom search time that has a narrow window, like earliest=-90d@d latest=-89d@d to make the search run faster

Please let me know if this answers your question! 😄

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎02-24-2017 09:49 AM

Hi daniel333, tstats looks like a good use here. For instance:

| tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" | convert ctime(earliestTime)

Run it over 90 or more days to get the minimum value for the events that match that search.

You could get a more informative look on retention by splitting by host, for instance:

    | tstats min(_time) as earliestTime where index=* host=*dcs* sourcetype="WinEventLog:Security" by host | convert ctime(earliestTime)

To get the raw events themselves, I'd just use a custom search time that has a narrow window, like earliest=-90d@d latest=-89d@d to make the search run faster

Please let me know if this answers your question! 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...