This seems more of a bug than an idea. We will investigate the impact of such change.

We don’t use the attribute maxTime in the API. And it’s the value provided by splunk. https://github.com/centreon/centreon-plugins/blob/develop/src/apps/monitoring/splunk/custom/api.pm#L226

The last update name comes from centreon (a rename of maxTime in the mode).

@FredericGerard Can you please confirm this is resolved based on @qgarnier’s reply?

Hi,

Sorry for the delay.
I'm a bit puzzled.

Plugin code gets a maxTime attribute :
        foreach my $attribute (@{$_->{content}->{'s:dict'}->{'s:key'}}){
            next if ($attribute->{name} ne 'maxTime' || !defined($attribute->{content}));
            my $epoch_time = ( time() - $self->convert_iso8601_to_epoch(time_string => $attribute->{content}) );
            push @index_update_time, { index_name => $_->{title}, ts_last_update => $epoch_time }
        }

Result for "_audit" last updates according to Centreon

"maxTime" attribute is also used in the splunk search :
| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes/_audit
            | join title splunk_server type=outer �| rest splunk_server_group=dmc_group_indexer splunk_server_group="*" /services/data/indexes-extended/_audit]
            | eval bucketCount = coalesce(total_bucket_count, 0)
            ...
            | eval eventCount = coalesce(totalEventCount, 0)dexSizeGB / indexMaxSizeGB * 100, 2)."%", "N/A")
            | eval total_raw_size = coalesce(total_raw_size, 0) | stats max(maxTime) as newestEvent
            
Result for "_audit" last updates according to Splunk

So the “last update” returned by Centreon is the “earliest event” of the index.

The only difference I could see is that Splunk request apply "max" function to the maxTime attribute. Don't know whether Centreon request gets a list of maxTime and in this case which one is kept.

I don’t really understand the splunk syntax. We use the endpoint: /services/data/indexes

We don’t have a list of time. We have a list of indexes with a maxTime by index. It looks like the same: https://www.splunksearches.com/post.html?splunk%20search%20for=Detailed+information+on+Indexes&id=121

Could you ask to your splunk support about it ?

Hi Quentin,

I agree splunk syntax is not always human friendly.

The request seems OK, I’ve just tried it :

or the same without renaming fields

So the maxTime attribute has the right value.

By the mean time, I have a doubt on this line of code but I’m not familiar with perl :
next if ($attribute->{name} ne 'maxTime' || !defined($attribute->{content}));
The way I understand it : if attribute name is “minTime”, first part of the test is “false”, so the second part is evaluated. Attribute content is timelapse since first event, so it is defined. So “!defined” is false. So the wall expression is false. So the “next” won’t be executed, and since the api delivered minTime entry after the maxTime, its value will fill the index_update_time.
Correct ?

For me the condition ok. But you can provide me the json output with --debug

OK,

Send as attached file through mail.

Regards,

Hello :)

We have never received a response from Splunk support, so we are forced to close this request.