- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How do I find the first firewall entry?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
I need some help figuring out how far back my firewall logs go. If I set the time picker to "All Time", and just search for Cisco ASA, I get 20 pages of events from today.
Any ideas on how I can locate when I first started getting logs into Splunk from my firewall?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @nick598660,
You can use the metadata command to list the timestamps of the first event and of last the event for a list of sourcetypes/hosts/sources.
Try something like this:
| metadata type=sourcetypes index=YOURINDEX
| rename firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update"
| fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
The web page under Settings / Indexes also lists the earliest event and the latest event for each index.
If the log volume is not too big, then you could also run a simple tail command to retrieve the first event. Set the time picker to "All Time":
index=YOURINDEX sourcetype=YOURSOURCETYPE | tail 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @nick598660,
You can use the metadata command to list the timestamps of the first event and of last the event for a list of sourcetypes/hosts/sources.
Try something like this:
| metadata type=sourcetypes index=YOURINDEX
| rename firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update"
| fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
The web page under Settings / Indexes also lists the earliest event and the latest event for each index.
If the log volume is not too big, then you could also run a simple tail command to retrieve the first event. Set the time picker to "All Time":
index=YOURINDEX sourcetype=YOURSOURCETYPE | tail 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is exactly what I was looking for. Thank You!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
