topic Re: Timechart showing if servers are communicating with Splunk in Splunk Search

Timechart showing if servers are communicating with Splunk

tc641 — Thu, 10 Aug 2017 13:05:13 GMT

Our Splunk expert is away 😮
I want to see the total number servers that can communicate with splunk i.e. they are on the forwarder manager. on the y-axis and time on the x axis.

I have attempted a few searches e.g
| metadata type=hosts
| chart count by recentTime

but this doesn't give me what I want really at all : (

I would appreciate any help.

Thanks 🙂

Re: Timechart showing if servers are communicating with Splunk

somesoni2 — Thu, 10 Aug 2017 14:38:28 GMT

This will give you what you want but if you've too many hosts, it won't look pretty.

| metadata type=hosts | table host recentTime | rename recentTime as _time | timechart dc(host) as hosts limit=0

For better suggestion, please describe what you're expect as the output.

Re: Timechart showing if servers are communicating with Splunk

gcusello — Thu, 10 Aug 2017 14:50:25 GMT

Hi tc641,
to you want to know servers that can communicate with Splunk or servers that are communicating with Splunk?

If the first, you can see all the server in the deployment server or find servers that sent logs in the last (e.g.) one month, running a search like

| metasearch index=_internal earliest=-1mon latest=now | dedup host | sort host | table host

If instead the second, you should do the following steps:

create a lookup perimeter.csv with one field "host"
populate it with all the servers in your perimeter: manually or scheduling a search lithe this | metasearch index=_internal earliest=-1mon latest=now | dedup host | sort host | table host | outputlookup perimeter.csv
run a search like the following | metasearch index=_internal | host=upper(host) | stats count by host | append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ] | stats sum(count) AS Total by host
In this way servers with Total=0 are missing and Total > 0 are present

Bye.
Giuseppe

Re: Timechart showing if servers are communicating with Splunk

gcusello — Thu, 10 Aug 2017 14:50:25 GMT

Hi tc641,
to you want to know servers that can communicate with Splunk or servers that are communicating with Splunk?

If the first, you can see all the server in the deployment server or find servers that sent logs in the last (e.g.) one month, running a search like

| metasearch index=_internal earliest=-1mon latest=now | dedup host | sort host | table host

If instead the second, you should do the following steps:

create a lookup perimeter.csv with one field "host"
populate it with all the servers in your perimeter: manually or scheduling a search lithe this | metasearch index=_internal earliest=-1mon latest=now | dedup host | sort host | table host | outputlookup perimeter.csv
run a search like the following | metasearch index=_internal | host=upper(host) | stats count by host | append [ | inputlookup perimeter.csv | eval count=0, host=upper(host) | fields host count ] | stats sum(count) AS Total by host
In this way servers with Total=0 are missing and Total > 0 are present

Bye.
Giuseppe

Re: Timechart showing if servers are communicating with Splunk

DalJeanis — Thu, 10 Aug 2017 15:02:30 GMT

here's one way...

| tstats dc(host) as hostcount WHERE index=_internal by _time span=1h 
| timechart span=1d avg(hostcount)

Here's some other useful ones...

https://answers.splunk.com/answers/294769/how-to-get-a-progressive-chart-of-hosts-added-over.html