Splunk search for Latest time events received by index and sourcetype

Copy
| tstats latest(_time) as "Last Received" by index, sourcetype | stats list(sourcetype) as sourcetype, list("Last Received") as "Last Received" by index | eval "Last Received"=strftime('Last Received',"%m/%d/%Y %H:%M:%S")
This Splunk search will display the last time that an event was received for each sourcetype, separated by index.
0 comments

Category:

General Splunk


Tags:

tstats Admin audit

Search Commands:

Sign in or Register to submit a comment