On the Splunk-7.1.2-InheritedDeployment.pdf, i was looking for any ideas about finding out when was my Splunk environment was installed/deployed...
However, no answers were there...
Have a look on your splunk servers, in root of the splunk install folder for the creation date of the oldest manifest file. Unless the previous admin manually cleaned those up when doing upgrades, that should give you an idea of when the install was first done.
That, or look at the creation date of var/log/splunk/first_install.log
Have a look on your splunk servers, in root of the splunk install folder for the creation date of the oldest manifest file. Unless the previous admin manually cleaned those up when doing upgrades, that should give you an idea of when the install was first done.
That, or look at the creation date of var/log/splunk/first_install.log
WARNING! This answer is wrong. The date of this file will be the date of the file when it was packaged in the installer (tgz/rpm).
Superb.. thanks @FrankVl (my sincere apologies for the delay in accepting this as answer)
any other ideas, suggestions.. please reply...
from Lowell and dveuve's answer at
https://answers.splunk.com/answers/4119/how-to-return-time-of-first-event-in-an-index.html
You can get first/last information from your index like this using the metadata command, that is the fastest way to get this information:
| metadata index=foo type=hosts | stats max(lastTime), min(firstTime)
If you want to convert that into a more readable time format, try something like this:
| metadata index=foo type=hosts | stats max(lastTime) as lastTime, min(firstTime) as firstTime | convert ctime(*Time)
Be aware that if you have one host sending data in with the wrong timestamp, that will show up here. Most of your data could be a week old, but that one host with NTP disabled and a time setting of 1.25 years ago will make you think you are meeting your data retention requirement.
linux files date info - this will give the first and last events dates.. which may or may not be the splunk environment's install date.
one simple idea -
ls -tl /SPLUNK_install_HOME/splunk/bin/*
the oldest file on this directory, will give you approximate date(considering you have not done any major upgrade)
work around -
to find the oldest 10 files under your splunk installation directory -
find /opt/splunk/ -type f -printf '%T+ %p\n' | sort | head -n 10
10 files, to get more clear picture.