what is splunk search query to find the oldest ( first ) event generated on a index ?
index=bla | tail 1
would do the job, but unless you can pick a time window roughly around where you know the earliest event was, that is going to be horribly inefficient.
So you may first want to use a metadata or tstats search to figure out when the first event happened and then search for that specific point in time with tail 1 to find the actual event.
For example:
| tstats count where index=bla by _time | sort _time
or
| metadata type=sourcetypes where index=bla | convert ctime(firstTime)
index=bla | tail 1
would do the job, but unless you can pick a time window roughly around where you know the earliest event was, that is going to be horribly inefficient.
So you may first want to use a metadata or tstats search to figure out when the first event happened and then search for that specific point in time with tail 1 to find the actual event.
For example:
| tstats count where index=bla by _time | sort _time
or
| metadata type=sourcetypes where index=bla | convert ctime(firstTime)
| tstats earliest(_time) AS _time WHERE index=bla
is enough
Hello @Mayurmpatil,
index=<some_index>| stats latest(_raw)
should do it
Shouldn't it be the reverse? first(_raw) ?
index="bla" | stats last(_raw)
and
index="bla" | tail 1
both of them worked...
not first() but earliest(_raw). First doesn't use chronologic ordering, so may give unexpected result. Also: if you don't know over what timewindow to run this and therefor run it over all time, it will be very inefficient I guess.