Splunk search for Latest event reported

Copy
|tstats latest(_time) as latest_time by index, sourcetype, host | eval now_time=now() | eval time_since_last=now()-latest_time | where time_since_last>=3600 | foreach *_time [ | eval <<FIELD>>=strftime(<<FIELD>>,"%m/%d/%Y %H:%M:%S") ] | rename latest_time as "Time of Last Event", now_time as "Present Time", time_since_last as "Seconds Since Last Event"
This search will provide details on the latest event ingested into Splunk. It will show the time of the event, the present time, the seconds since the last event, the index, sourcetype and host.
0 comments

Category:

General Splunk


Tags:

tstats administration

Search Commands:

Sign in or Register to submit a comment