topic how do i find where each hosts are indexing data in Getting Data In

how do i find where each hosts are indexing data

ranjitbrhm1 — Sat, 31 Mar 2018 12:05:46 GMT

the reason for this is because someone made a mix-up on the UF and then some hosts are indexing to the wrong index. Is there an easy way to find the Index to which each hosts are indexing different data?

Re: how do i find where each hosts are indexing data

niketn — Sat, 31 Mar 2018 16:51:58 GMT

You can use either tstats or metadata command on your index to get stats by host

| tstats count where index="<yourIndexName>" by host

| metadata type=hosts where index="<yourIndexName>"
| fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| table host firstTime lastTime totalCount

Re: how do i find where each hosts are indexing data

gcusello — Sun, 01 Apr 2018 08:46:16 GMT

Hi ranjitbrhm1,
try something like this:

| metasearch index=*
| stats values(indexes) AS indexes count by host

In this way you have all the indexes for each host.

To correct errors, it could be useful to have also sources, so you can intervene:

| metasearch index=*
| stats values(sources) AS sources count BY host index

To have all the sources when some host logs are archived.

Have an Happy Easter.
Bye.
Giuseppe