I need Splunk query to get maximum indexed timestamp or latest indexed timestamp for a source type.
Please help as I am stucked here for quite long.
your help is highly appreciated.
thanks
Asked
Active
Viewed 797 times
1 Answers
2
This should do it.
| tstats latest(_time) where index=* by sourcetype
RichG
- 9,063
- 2
- 18
- 29
-
Hi Rich...you are bang on , above command providing me timestamp of any one of source type that is last indexed but I need to search timestamp of only particular source type i.e. source type="fields.json". can you help me with the query? – Anshu Dec 19 '18 at 18:12
-
Just a simple variation of the same command. `| tstats latest(_time) where index=* sourcetype="fields.json"`. If you know the index name, use it instead of `*` for better performance. – RichG Dec 19 '18 at 18:24
-
Rich, When I am using your above command to search particular source type latest indexed timestamp, I am getting the result on Splunk web, but when I am using this command from linux using curl I am getting fatal error: – Anshu Dec 20 '18 at 09:33
-
command--> curl -k1 -u admin:prateeks https://Host:port/services/search/jobs/
/results/ --get -d output_mode=csv error--> – Anshu Dec 20 '18 at 09:35Error in 'TsidxStats': Missing field list after 'GROUPBY' or 'by' keyword -
curl command I am using to get the SID is:- curl -k1 -u username:pwd https://hostname:port/services/search/jobs -d search="| tstats latest(_time) where index=* by sourcetype=fields.json" – Anshu Dec 20 '18 at 10:12
-
Remove 'by ' from your query. – RichG Dec 20 '18 at 23:10
-
Thanks Rich...a huge shout out for you! – Anshu Dec 21 '18 at 09:49