topic Does host in one sourcetype gets updated or not? in Getting Data In

Does host in one sourcetype gets updated or not?

SoknySplunk — Tue, 11 Sep 2018 06:55:10 GMT

Does any body have search_query related sourcetype update that show:
- how many host in one sourcetype (increase/decrease host)?
- which host not update on time? Thanks

Re: Does host in one sourcetype gets updated or not?

renjith_nair — Tue, 11 Sep 2018 09:15:29 GMT

@SoknySplunk,

Try this and lets know if it works for you

|tstats dc(host) as count  where (index=_* OR index=*) by host,sourcetype,_time
|eventstats latest(_time) as last_seen by host,sourcetype
|bucket span=1d _time|stats dc(host) as count,latest(last_seen) as last_seen by sourcetype,host,_time
|eval delay(secs)=now()-last_seen
|eventstats sum(count) as number_of_host by sourcetype
|table _time,sourcetype,host,number_of_host,delay(secs)|sort sourcetype

Re: Does host in one sourcetype gets updated or not?

mstjohn_splunk — Wed, 12 Sep 2018 00:19:16 GMT

hi @soknysplunk,

Did the answer below solve your problem? If so, please resolve this post by approving it!

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

Re: Does host in one sourcetype gets updated or not?

SoknySplunk — Wed, 12 Sep 2018 00:38:06 GMT

Thank you, it's a great example.

Re: Does host in one sourcetype gets updated or not?

SoknySplunk — Wed, 12 Sep 2018 01:36:08 GMT

By the way, could we use metadata to pull both host and source and last date?

Re: Does host in one sourcetype gets updated or not?

inventsekar — Fri, 02 Nov 2018 09:55:34 GMT

Great query, Renjit.. upvoted!