Splunk search for Time since last event by index, host and sourcetype

Copy
| tstats latest(_time) as Latest where index=* by host sourcetype index | eval now=now() | eval time_since_last=round(((now-Latest)/60)/60,2) | stats list(host) as host, list(sourcetype) as sourcetype, list(Latest) as "Latest Event" list(time_since_last) as "Time since last event (hours)" by index | convert ctime("Latest Event")
This Splunk search utilizes the tstats command to show the last time that an event was indexed for each index, host and sourcetype.
1 comment

Category:

General Splunk


Tags:

tstats Admin general

Search Commands:

Sign in or Register to submit a comment

Comments

Balakumar_m | March 2024

Thank you so much ! it made my day simple