topic Re: Find hosts matching naming criteria in Splunk? in Splunk Search

Find hosts matching naming criteria in Splunk?

sm600 — Thu, 25 Jun 2015 19:32:24 GMT

We use this search quite a bit, and love it. In this example it provides a list of all hosts (servers) reporting to splunk in a specific index...

|metadata type=hosts index=ms_ad_log| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort - total

But...I need to narrow this search to a specific set of hosts that are named IAA -- and using this search criteria doesn't seem to work....

|metadata type=hosts index=* host=*IAA*| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort - total

Any ideas?

Re: Find hosts matching naming criteria in Splunk?

sk314 — Thu, 25 Jun 2015 21:05:49 GMT

Did you try using host=IAA* ?

Re: Find hosts matching naming criteria in Splunk?

MuS — Thu, 25 Jun 2015 21:14:15 GMT

Hi sm600,

@sk314 got it almost correct 😉 Try this:

| metadata type=hosts index=* 
| search host=IAA*
| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) 
| rename firstTime AS first, recentTime AS last, totalCount as total 
| table host,first,last,total 
| sort - total

cheers, MuS

Re: Find hosts matching naming criteria in Splunk?

sk314 — Thu, 25 Jun 2015 21:22:01 GMT

Not again! 😐 😛

Re: Find hosts matching naming criteria in Splunk?

sm600 — Fri, 26 Jun 2015 00:29:55 GMT

Thanks...adding

|search host=*iaa*|

worked perfectly