topic Re: How do I write the same search that populates the "Data Summary"? in Splunk Search

How do I write the same search that populates the "Data Summary"?

samir_silva — Thu, 05 Nov 2015 20:17:51 GMT

I need the event data from the "Data Summary" because I need to create a search to find when hosts stop sending logs to our Splunk server via UDP syslog.

Thanks.

Re: How do I write the same search that populates the "Data Summary"?

jmedved — Thu, 05 Nov 2015 23:07:44 GMT

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

Re: How do I write the same search that populates the "Data Summary"?

samir_silva — Mon, 16 Nov 2015 13:20:41 GMT

Thank you so much jmedved,

I used this search and It's working very well.

Thank you so much again.

| metadata type=hosts index=* | where recentTime < now() - 3600 | eval "Ultimo Envio" = strftime(recentTime, "%F %T") |fields + host "Ultimo Envio" | search host!="10.244.68.15" host!="172.26.142.131" host!="172.26.142.129"