topic Re: Splunk internal fields on reports in Reporting

Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 12:24:01 GMT

Hi All,

I would like to generate a report that includes the following parameter

Host Name
Host IP
Host OS type
Log Source type
Amount of logs indexed.

Also i would like to create a report that can state the current searches in Splunk?

Please help

Re: Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 12:27:34 GMT

just to clear more on the parameters 'host name', 'host ip', 'host os type' are the details of the host from which logs are coming.

Re: Splunk internal fields on reports

ShaneNewman — Tue, 22 Oct 2013 12:57:57 GMT

Why don't you just download the deployment monitor app? It has all of that pre-built.

http://apps.splunk.com/app/1294/

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 13:23:47 GMT

You can do:

1.Host Name

2.Host IP

3.Host OS type

4.Amount of logs indexed.

With

index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" |stats sum(kb) by hostname,sourceHost,os |sort -sum(kb) | rename sourceHost AS HostIP, hostname AS HostName, os AS OSType

And you can do sourcetype with:

index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | stats sum(kb) by series |sort -sum(kb)

But you cannot get sourcetype by host. At least I can't figure out how to do it.

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 14:02:06 GMT

This does not show sourcetype thruput by host, nor does it show the host IP.

Re: Splunk internal fields on reports

lohit — Mon, 28 Sep 2020 15:02:23 GMT

Hi Luke,

i was actually running the first search but over group=per_host_thruput. I will surely run your search..but in my environment, i have 8 universal forwarders but in hostname filed in _internal index it is showing only 3. Why is this happening. Any idea??

Also, how can i list the saved searches in a report?

Please help!!

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 15:16:11 GMT

For starters, if you like my answer then you could upvote it:)
What do you mean when you say "list the saved searches" exactly?

Re: Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 15:19:51 GMT

Done luke. :). I would be really helpful if you could also guide me in solving the problem of discrepenancy of no of actual hosts and listed in _internal.

All the searches that i have created in splunk, i want to show them in a report.

Re: Splunk internal fields on reports

lukejadamec — Mon, 28 Sep 2020 15:02:25 GMT

Group per_host_thruput will list the host in the field "series".
Group tcpin will list the host in the field hostname.
Are you sure that the hosts have sent data in the time frame that you are searching?

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 15:27:13 GMT

You want to list the search names, or you want to report the search results?
As for the hosts, first verify that you have data from the missing hosts in the timeframe you're searching.

Re: Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 15:31:29 GMT

I am searching for the hosts over the whole time span.

Also i want to display search names and if i have done any modification in inbuilt searches.

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 15:38:35 GMT

Regarding the hosts, are you using heavy forwarders?

Re: Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 15:40:04 GMT

I am using universal forwarders

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 15:55:49 GMT

Are all hosts sending data to the indexer, or are some of the hosts sending data to other universal forwarders and then on to the indexer?

Re: Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 16:05:55 GMT

All the universal forwarder are sending logs to indexer directly.

Re: Splunk internal fields on reports

lukejadamec — Tue, 22 Oct 2013 16:14:12 GMT

What search are you running exactly when you look for hosts?

Re: Splunk internal fields on reports

lohit — Tue, 22 Oct 2013 16:16:30 GMT

I am just running the search that you specified.

Re: Splunk internal fields on reports

lukejadamec — Mon, 28 Sep 2020 15:02:28 GMT

Try adding fillnull value=null before stats.
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" | fillnull value=null | stats sum(kb) by hostname,sourceHost,os |sort -sum(kb) | rename sourceHost AS HostIP, hostname AS HostName, os AS OSType

Re: Splunk internal fields on reports

lohit — Wed, 23 Oct 2013 05:21:55 GMT

yeah it is working now.. Luke if i have to display

OS type
No of servers(of a specific OS type)

what modification should i made in the baove search.

Re: Splunk internal fields on reports

lukejadamec — Mon, 28 Sep 2020 15:03:47 GMT

Try this:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" | fillnull value=null | dedup hostname| stats count by os | rename os AS OSType