topic Re: How to get a progressive chart of hosts added over time using the metadata command firstTime field in Splunk Search

How to get a progressive chart of hosts added over time using the metadata command firstTime field

hartfoml — Wed, 12 Aug 2015 15:12:39 GMT

I want to draw a chart of hosts added over time so that I can see at the beginning zero hosts and at the end 3,685 hosts. I would like to do this using the firstTime field from | metadata type=hosts

I have this search | metadata type=hosts | eval Date=strftime(firstTime,"%Y-%m-%d") | fields host Date but it is just a search of number of hosts added each day and not progressive over time.

I have this search index=_internal hostname="*" component="Metrics" | timechart span=d dc(hostname) from Answers, but it is using the metrics logs and takes too long over a large number of days.

I would like a count to date from the beginning for each day of my search.

Like
(day 1 count = 5)
(day 2 count = 5 + day1)
(day 3 count = 5 + day2)
and on an on.

Thanks for any help.

Re: How to get a progressive chart of hosts added over time using the metadata command firstTime field

diogofgm — Wed, 12 Aug 2015 15:27:46 GMT

Use streamstats:

| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts

Re: How to get a progressive chart of hosts added over time using the metadata command firstTime field

somesoni2 — Wed, 12 Aug 2015 15:31:48 GMT

This should do the trick.

| metadata type=hosts index=*| eval _time=firstTime | fields _time host | timechart span=1d dc(host) as Hosts | makecontinuous | eval Hosts=coalesce(Hosts,0) | accum Hosts

Re: How to get a progressive chart of hosts added over time using the metadata command firstTime field

hartfoml — Wed, 12 Aug 2015 15:43:55 GMT

This is a very cool chart. thanks so much @diogofgm this was more than I was hoping for. Every Splunk Admin should have this chart to show growth and assimilation. Resistance is futile 🙂

Re: How to get a progressive chart of hosts added over time using the metadata command firstTime field

hartfoml — Wed, 12 Aug 2015 15:45:34 GMT

This did a great job and I am still struggling to understand the code but it had a very different result than the search above. Thanks so much for your contribution it is a great learning code for me to try on something else. Thanks Again for the help.

Re: How to get a progressive chart of hosts added over time using the metadata command firstTime field

kiran_mh — Tue, 20 Dec 2016 06:45:40 GMT

Hi somesoni2,

Using your query is it possible to get the hosts name as well?

We want to know which hosts were added in the last 7 days , a report to be generated weekly once which gives us the list of hosts which were added in the last 7 days.

Thanks in Advance