I am in the log sources provisioning phase.
I examine the "data summary" frequently to see the change in number of hosts/sources/sourcetypes to determine from which log sources, Splunk has started collecting/receving data
However, now I have noticed jump in no. of sources but same no of hosts and sourcetypes. Hence, I want to be able to find out which was that new source that has newly emerged in Splunk.
In order to do this, I am looking for a search command that will give me a list of all sources with it's first event displayed which, I guess, can be achieved by using the earliest event command.
Can someone please advise how I can achieve this ?
↧