Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you find the earliest event in an index by sourcetype and source?

Log_wrangler
Builder
‎04-18-2018 06:02 PM

Hi

I have index = A sourcetype = A and source = /tmp/A.app.log

I want to find the earliest event (date and time) for the above.

Please advise how to write this query.

Thank you

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎04-18-2018 06:55 PM

Try this.. Set it to all-time. It uses the tsidx files for searching so it will be quick

| metasearch index = A sourcetype=A AND source="/tmp/A.app.log"
| stats earliest(_time) AS Earliest_Time
|  eval Earliest_Time=strftime(Earliest_Time,"%Y-%m-%d %H:%M:%S")

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-18-2018 09:51 PM

Try the tstats command with appropriate time range (try avoid using 'All times', choose a time range large enough that you know there would be some events for that index/sourcetype/source combination).

For specific index/sourcetype/source combination

| tstats max(_time) as lastReportedOn by index=A sourcetype=A source=/tmp/A.app.log by index sourcetype source | convert ctime(lastReportedOn)

For all sourcetype/source combinations in an index

| tstats max(_time) as lastReportedOn by index=A  by index sourcetype source | convert ctime(lastReportedOn)
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-19-2018 07:02 AM

Thank you for the reply, for some reason |tstats is not working in my environment, I have used it before in other environments / deployments and it worked. Metasearch does work.

0 Karma
Reply
Solved! Jump to solution

aokur_splunk
Splunk Employee
Splunk Employee
‎01-21-2020 10:17 AM

slight typo on the query - this tstats search is faster than the metadata one if correctly typed:

   | tstats max(_time) as lastReportedOn where index=A sourcetype=A source=/tmp/A.app.log by index sourcetype source | convert ctime(lastReportedOn)
0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎04-18-2018 06:55 PM

Try this.. Set it to all-time. It uses the tsidx files for searching so it will be quick

| metasearch index = A sourcetype=A AND source="/tmp/A.app.log"
| stats earliest(_time) AS Earliest_Time
|  eval Earliest_Time=strftime(Earliest_Time,"%Y-%m-%d %H:%M:%S")
Reply
Solved! Jump to solution

cyvi01
Path Finder
‎11-15-2022 02:50 AM 
| stats earliest(_time) AS Earliest_Time
|  eval Earliest_Time=strftime(Earliest_Time,"%Y-%m-%d %H:%M:%S")


can be replaced by a simple 

| stats earliest(_time) AS _time


Splunk formats _time by default which allows you to avoid having to reformat the display of another field dedicated to time display.



0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎04-19-2018 07:03 AM

Thank you for the reply, your metasearch is giving me results.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...