Hello Everyone,
I need some help figuring out how far back my firewall logs go. If I set the time picker to "All Time", and just search for Cisco ASA, I get 20 pages of events from today.
Any ideas on how I can locate when I first started getting logs into Splunk from my firewall?
Hello @nick598660,
You can use the metadata command to list the timestamps of the first event and of last the event for a list of sourcetypes/hosts/sources.
Try something like this:
| metadata type=sourcetypes index=YOURINDEX
| rename firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update"
| fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
The web page under Settings / Indexes also lists the earliest event and the latest event for each index.
If the log volume is not too big, then you could also run a simple tail command to retrieve the first event. Set the time picker to "All Time":
index=YOURINDEX sourcetype=YOURSOURCETYPE | tail 1
Hello @nick598660,
You can use the metadata command to list the timestamps of the first event and of last the event for a list of sourcetypes/hosts/sources.
Try something like this:
| metadata type=sourcetypes index=YOURINDEX
| rename firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update"
| fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")
The web page under Settings / Indexes also lists the earliest event and the latest event for each index.
If the log volume is not too big, then you could also run a simple tail command to retrieve the first event. Set the time picker to "All Time":
index=YOURINDEX sourcetype=YOURSOURCETYPE | tail 1
That is exactly what I was looking for. Thank You!