Refine your search:

Difference between lastTime and recentTime in metadata output

0

Can someone explain the distinction between the lastTime and recentTime fields in the output of the | metadata command?

asked 01 Oct '10, 15:00

southeringtonp's gravatar image

southeringtonp ♦
4.5k1215
accept rate: 35%

2 Answers:
oldestnewestmost voted
2

firstTime and lastTime show you the bounds of your timestamps for the entry in question. Think of this like | stats min(_time) as firstTime, max(_time) as lastTime.

The recentTime is the last timestamp that splunk received for the given entry in question. (This would be something like | sort -_indextime | head 1 | rename _time as recentTime.)

Keep in mind that the metadata command is really just pulling in saved statistics about your host/source/sourcetype that are stored within an individual index. (You can see them in the *.data files within the index folder and under individual bucket folders.) Keep in mind that the search examples above are really only meant to give you a comparable idea of what's going on, but they are probably over simplified.

So, unless you have events coming in out of order, then lastTime and recentTime will probably contain the same value.

link

answered 01 Oct '10, 15:04

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 01 Oct '10, 18:27

1

The question has been answered before: http://answers.splunk.com/questions/5626/what-is-the-difference-between-lasttime-and-recenttime-in-a-metadata-search/5630#5630

It seems like recentTime is (possibly extracted) timestamp of the last event that has gotten into the index and lastTime is the latest timestamp found in the index - max(_time).

So none of the values would represent max(_indextime) as I understood.

link

answered 01 Oct '10, 15:18

ziegfried's gravatar image

ziegfried ♦
7.2k1315
accept rate: 53%

After looking closer at the values, I think you are correct about the max(_indextime) thing. I've updated my answer accordingly. Thanks for pointing this out.

(01 Oct '10, 19:43) Lowell ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×74

Asked: 01 Oct '10, 15:00

Seen: 709 times

Last updated: 01 Oct '10, 18:27

Related questions

What is the difference between lastTime and recentTime in a metadata search?

working with metadata output.

on a '| metadata type=hosts' search, what do each of the fields stand for?

Machine Data same as Metadata

metadata with splunk_server

metadata via REST API

Metadata filtered by eventtype

Can you use the metadata command over all indexes?

Question on metadata

Copyright © 2005-2012 Splunk, Inc. All rights reserved.