https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181960#M52443 <P>I was just about to post that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Here's the documentation on the metadata command for future reference @victorstarostenko</P> <P>Cheers!</P> Thu, 23 Oct 2014 18:31:53 GMT ppablo 2014-10-23T18:31:53Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181958#M52441 <P>I need to find unique hosts consumed by a specific index. <BR /> I use the following search string:</P> <PRE><CODE>index=my_index |stats values(host) </CODE></PRE> <P>As I understand, 'values' returns unique values for 'host'. This gives me what I need, but takes a <STRONG>loooooong</STRONG> time (3+ hours). <BR /> Is there a better way?</P> <P>Thanks!</P> Thu, 23 Oct 2014 18:21:27 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181958#M52441 victorstarosten 2014-10-23T18:21:27Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181959#M52442 <P>Yes, there is a faaar better way;</P> <PRE><CODE>| metadata type=hosts index=your_index_here </CODE></PRE> <P>EDIT: and yes. The search actually starts with a pipe.</P> <P>/K</P> Thu, 23 Oct 2014 18:29:16 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181959#M52442 kristian_kolb 2014-10-23T18:29:16Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181960#M52443 <P>I was just about to post that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Here's the documentation on the metadata command for future reference @victorstarostenko</P> <P>Cheers!</P> Thu, 23 Oct 2014 18:31:53 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181960#M52443 ppablo 2014-10-23T18:31:53Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181961#M52444 <P>Perfect.</P> <P>Thank you.</P> Thu, 23 Oct 2014 18:37:21 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181961#M52444 victorstarosten 2014-10-23T18:37:21Z https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181962#M52445 <P><CODE>metadata</CODE> is the way to go here, but if your <CODE>stats</CODE> requirements on indexed fields become more complex you should take a look at <CODE>tstats</CODE>: <A href="http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/tstats">http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/tstats</A></P> <P>For example</P> <PRE><CODE>| tstats count where index=* by index sourcetype host </CODE></PRE> <P>Will give you a blazingly fast summary of what your Splunk data looks like in those three dimensions.</P> Thu, 23 Oct 2014 22:42:07 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-most-efficient-way-to-search-for-unique-hosts-by-a/m-p/181962#M52445 martin_mueller 2014-10-23T22:42:07Z