Solved: Re: list time when the logs are indexed by Splunk

flzftw · ‎03-29-2016

Hey guys,

I'm a splunk newbie and I'm trying to list all the time a specific index tries to access the log file. So far I did achieve this :
index=test | eval indexed_time=strftime(_indextime, "%+") | stats max(indexed_time) by index

As far as I know It only shows the last time the test index accessed its log file.

Is it possible to list all of them ? If yes, how can I do it for a specific day ?

Thank you very much

richgalloway · ‎03-29-2016

You have the process reversed. Indexes do not access log files; log files are placed into indexes. To find all of the index times, don't use stats max.

index=test | eval indexed_time=strftime(_indextime, "%+") | table _time indexed_time source

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-29-2016

You have the process reversed. Indexes do not access log files; log files are placed into indexes. To find all of the index times, don't use stats max.

index=test | eval indexed_time=strftime(_indextime, "%+") | table _time indexed_time source

---
If this reply helps you, Karma would be appreciated.

flzftw · ‎03-29-2016

I see, now I understand better the process. Thank you very much !

list time when the logs are indexed by Splunk

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?