My understanding is Splunk will purge old data in an index when the disk limit is reached.
What is the easy/fast way to find out the earliest available event in an index?
Thanks in advance
@xindeNokia you can use metadata specific commands like tstats, metadata or dbinspect depending on your use case.
Following are some run anywhere examples based on Splunk's _internal
index. Change index name as per your requirement.
| tstats earliest(_time) as earliestTime latest(_time) as latestTime count as eventCount where index=_internal
| fieldformat earliestTime=strftime(earliestTime,"%Y/%m/%d %H:%M:%S")
| fieldformat latestTime=strftime(latestTime,"%Y/%m/%d %H:%M:%S")
| metadata type=sourcetypes index=_internal
| fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
PS: stats min(firstTime)
can be added to get earliest time across grouped default field in this case sourcetypes
| dbinspect index=_internal
| fieldformat startEpoch=strftime(startEpoch,"%Y/%m/%d %H:%M:%S")
| fieldformat endEpoch=strftime(endEpoch,"%Y/%m/%d %H:%M:%S")
@xindeNokia you can use metadata specific commands like tstats, metadata or dbinspect depending on your use case.
Following are some run anywhere examples based on Splunk's _internal
index. Change index name as per your requirement.
| tstats earliest(_time) as earliestTime latest(_time) as latestTime count as eventCount where index=_internal
| fieldformat earliestTime=strftime(earliestTime,"%Y/%m/%d %H:%M:%S")
| fieldformat latestTime=strftime(latestTime,"%Y/%m/%d %H:%M:%S")
| metadata type=sourcetypes index=_internal
| fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
PS: stats min(firstTime)
can be added to get earliest time across grouped default field in this case sourcetypes
| dbinspect index=_internal
| fieldformat startEpoch=strftime(startEpoch,"%Y/%m/%d %H:%M:%S")
| fieldformat endEpoch=strftime(endEpoch,"%Y/%m/%d %H:%M:%S")