Hi All, Currently we are running out of space in our indexer instance and we wanted to remove the oldest data that is in our indexer and stored more than 1 year from the indexer instances. When we tried the below search, to get the oldest data that got indexed in the indexer instances but it is taking too long time to get the result when time frame is set to **ALL time**
index=* | stats first(_time) as latest last(_time) as earliest by index | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(earliest) ctime(latest)
Kindly let me know if there is a better search, which can get the oldest data that are being indexed and stored in indexer instance more than a year.
thanks in advance.
↧