I am trying to see the last time an index was written to so we can monitor it and make sure logs are still being received. I haven't really found anything that works. I was able to craft the search below, but it go through all of the logs and takes forever.
index=* | bucket _time span=1d as day | stats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S") | eval day=strftime(day,"%m/%d/%Y")
Any help would be appreciated.
Try this query.
| rest /services/data/indexes splunk_server=local | sort title | table title maxTime
This worked, too, however maxTime only displayed for one of the entries and not all of the indexes.
| tstats latest(_time) WHERE index=* BY index
So this got me what I was looking for. However, I modified to the search below. The last thing I need is to figure out how to setup a where statement so it will display the indexes that have a latest(_time) of greater than an hour. Eventually, this will be turned into an alert where I would receive an email if an index hasn't been updated in more than an hour. Thanks for any help!
| tstats latest(_time) as Last by index | eval Last=strftime(Last,"%H:%M:%S")
Try:
| tstats latest(_time) as Last by index | eval one_hour_ago=relative_time(now(), "-1h") | where Last<one_hour_ago | eval Last=strftime(Last,"%H:%M:%S")