Re: Splunk Get Earliest Data by Index and Sourcety...

jadengoho · ‎02-11-2020

Hi All,
Is it possible to get the Earliest available date of index and source type .
I tried "Tstats" and "Metadata" but they depend on the search timerange.

I need to get the earliest time that i can still search on Splunk by index and sourcetype that doesn't use "ALLTIME".
A good example would be, data that are 8months ago, without using too much resources. Just let me know if it's possible

nickhills · ‎02-11-2020

Hi @jadengoho
Try this:

| tstats earliest(sourcetype) as st  where (index=*)  by sourcetype,index,_time span=1d
| sort + _time 
| fields - st
| dedup sourcetype, index

Add any other constraints into the brackets, and run over all time.

If my comment helps, please give it a thumbs up!

jadengoho · ‎02-11-2020

But this command rely on Timerange "ALL TIME".
Im finding a way to get all 25 index earliest event.
How can i do that in the most efficient way ?

nickhills · ‎02-11-2020

An "All Time" search with tstats is not the same as a regular search with "All Time"
Its using the tsidx files and has a minimal overhead.

On my test system, I just ran this over all time (240 million events, 15 indexes) in 0.11 seconds.

If my comment helps, please give it a thumbs up!

Splunk Get Earliest Data by Index and Sourcetype

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio