https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199820#M57885 <P>Hello,</P> <P>I'm trying to build a search that lists the hosts daily that are, filtering for a specific SourceType, sending data being indexed in Splunk.<BR /> Sort of a daily "Top Talkers" for a specific SourceType.</P> <P>Appreciated any help. </P> Sat, 29 Oct 2016 20:01:49 GMT DomenicoFumarol 2016-10-29T20:01:49Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199820#M57885 <P>Hello,</P> <P>I'm trying to build a search that lists the hosts daily that are, filtering for a specific SourceType, sending data being indexed in Splunk.<BR /> Sort of a daily "Top Talkers" for a specific SourceType.</P> <P>Appreciated any help. </P> Sat, 29 Oct 2016 20:01:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199820#M57885 DomenicoFumarol 2016-10-29T20:01:49Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199821#M57886 <P>You can do this, which will run very quickly:</P> <PRE><CODE>| tstats count where index=* sourcetype=X by host | sort 0 -count </CODE></PRE> <P>If you only want to see the top 10 or top 20, replace the zero in the sort command with the number of hosts you would like to see in the results. Note that this is counting the number of events, not the size of the events. So which this may be correlated with license usage, it will be not match. For information on license usage by sourcetype, take a look at the Distributed Monitoring Console (called just the Monitoring Console starting in Splunk 6.5)</P> Sun, 30 Oct 2016 06:44:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199821#M57886 lguinn2 2016-10-30T06:44:45Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199822#M57887 <P>I guess you're trying to make a custom license dashboard?</P> <P>By default, there should be a search called <CODE>License Usage Data Cube</CODE> in your search app. If not, it's this search:</P> <PRE><CODE>index=_internal source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx </CODE></PRE> <P>Accelerate that search using report acceleration and an appropriate time range, e.g. 30 days. Once the acceleration has completed, add the saved search to your dashboard as a base search and display your data with a postprocessing search something like this:</P> <PRE><CODE>| search st=$st$ | timechart span=1d sum(b) by h </CODE></PRE> <P>That's assuming <CODE>st</CODE> is a token from a dropdown selecting the sourcetype to filter by.</P> Sun, 30 Oct 2016 13:57:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-serach-to-list-hosts-sending-data-being-indexed/m-p/199822#M57887 martin_mueller 2016-10-30T13:57:46Z