Need to determine the date and time of when a specific host first logged to Splunk ...
If you're looking for the date/time of the event (ie. what the value Splunk has extracted from the Event), use this search:
single host:
| metadata type=hosts index=main | search host=<YOUR HOST> | convert ctime(firstTime) | table host firstTime
all hosts:
| metadata type=hosts index=main | convert ctime(firstTime) | table host firstTime
If you're looking for when the first event has been indexed use this search: (Select All time in the time range picker - may take a while)
single host:
index=main host=<YOUR HOST> | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime
all hosts:
index=main | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime
That time/date would be outside the data that's currently in the main index ...
If you're looking for the date/time of the event (ie. what the value Splunk has extracted from the Event), use this search:
single host:
| metadata type=hosts index=main | search host=<YOUR HOST> | convert ctime(firstTime) | table host firstTime
all hosts:
| metadata type=hosts index=main | convert ctime(firstTime) | table host firstTime
If you're looking for when the first event has been indexed use this search: (Select All time in the time range picker - may take a while)
single host:
index=main host=<YOUR HOST> | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime
all hosts:
index=main | stats min(_indextime) as mintime by host | convert ctime(mintime) | table host mintime