Hi,
I am trying to create a lookup that has the names of all the indexes and the timestamp of the oldest event in that index.
I am running the below search for this:
|tstats earliest(_time) as oldestEvent by index | outputlookup abcd.csv
I ran this search for almost 3 hours, and even then, the search wasn't complete. Though, when hovering over the progress bar, I was able to see that the search had scanned 100% of the events, but there were no results in the CSV.
Can someone help me with this.
Regards,
Arpit
Try this:
| metasearch index=* | stats earliest(_time) as earliest_time by index
This search is also taking forever to run.
@Arpit_S
Have you tried rest
command??
| rest /services/data/indexes
Can you please confirm it's working for you?
| rest /services/data/indexes | table title minTime | rename minTime as oldestEvent, title as index | outputlookup abcd.csv
Thanks
@kamlesh_vaghela I am able to run "| rest /services/data/indexes " but there is no value under minTime field for me.
@Arpit_S
Did you get minTime
field blank for all the indexes??