Splunk search for Last time that a host or sourcetype reported data

Copy
| metadata type=hosts | table * | append [ | metadata type=sourcetypes | table * ] | eval time = now() - lastTime | eval Source = coalesce(host,sourcetype)| table Source type time lastTime totalCount | sort - lastTime | rename time as "Time Since Last Event (sec)" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z" | rename lastTime as "Time of Last Event"
This Splunk search utilizes the metadata command to provide information on events that are being ingested into Splunk. The search will yield the last time that a host or sourcetype shows up in an event ingested by Splunk. Results are sorted such that the most recently ingested sources/hosts will be at the top of the results.
0 comments

Category:

General Splunk


Tags:

Admin general metadata

Search Commands:

Sign in or Register to submit a comment