topic Re: Source and Host in Splunk Search

Source and Host

tmurray3 — Fri, 30 Sep 2011 17:48:03 GMT

I am trying to write a query to return host, source, last updated. However, it appears as though the source and host data are not stored together in the metadata. I can get a list of sources using the query:

"|metadata type=sources index=iam_eat"

but cant figure out how to include the hostname. I tried this query:

|metadata type=sources index=iam_eat| map search="search index=iam_eat earliest=-1m source=$source$|stats count by host,source" maxsearches=10

This query works, but only includes hosts & sources that have been updated in the last minute. If the source has not been updated, then I would like it to show up in my list with a count of 0.

Any help will be greatly appreciated!!!!

Thanks

Re: Source and Host

Simeon — Fri, 30 Sep 2011 19:17:33 GMT

They are not included together. You can run separate searches against the metadata to find that out.

What is your ultimate goal with this data?

Re: Source and Host

tmurray3 — Fri, 30 Sep 2011 19:40:24 GMT

My goal is to simple. I want to display a table with host, source and last time updated. Basically, everything listed in the "|metadata type=sources" results, plus add a host column