I'm trying to come up with a query that shows me the earliest (oldest) event in each index on every server that I have. A naive way of doing this might be:
index=* | stats earliest(_time) as earliest_time by splunk_server, index
But I really don't want to run it on all available data... Is there a metadata-based query for getting the same information?
Try | metadata type=hosts, this will give you am good overview