Splunk Search

How do i get Last Updated time for my index , and event data ??

rakesh_498115
Motivator

Hi..

I have a index called "mydata" , sourcetype="my_data" ..

my sample event is something likethis

2013-05-12:00:12:34 reportname="X" Request ##############
..................
.
.............

Here in my sample event , i need to know the LastUpdate for the different report_names ...I have following reportnames in the eventdata ..so i need the report like this..

reprot_name LastUpdateTime
X 2012-05-12:4:34:00
Y 2012-05-12:4:04:00

...

How can i get this ..Please help !!

Tags (3)
0 Karma

yannK
Splunk Employee
Splunk Employee

if you just want to list the latest timestamp for each reportname, you can use :

index=mydata sourcetype=mysourcetype source=mysource | stats latest(_time) AS LastUpdateTime by reportname | table reportname LastUpdateTime | sort -reportname

for details, see http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions

linu1988
Champion

Hello Rakesh,
i would like to know how the monitor the data?

If the data is coming like you mentioned, doing a "table report_name, LastUpdateTime,_time|dedup report_name" will give you the latest records.

rakesh_498115
Motivator

report names will be coming the logfile only....can you pls give the script to send me the last update time...cause i dnt want the run the the search for all time to find the last recent time for all the reportnames..

0 Karma

linu1988
Champion

i wanted to know how the report names are being indexed. As an alternative you can also write a script and configure in inputs.conf to send you the last modified time for the report files.

0 Karma

rakesh_498115
Motivator

i dont the file LastUpdateTime . 😞 .its not working ..monitor the data ??

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...