https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218368#M64169 <P>hi sumitkathpal,<BR /> You can see which hosts are sending logs to Splunk with this simple search:</P> <PRE><CODE>index=_internal </CODE></PRE> <P>If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:</P> <PRE><CODE>index=_internal NOT [ | inputlookup my_hosts.csv | fields host ] </CODE></PRE> <P>in this way you can find if an host is or not in your lookup.<BR /> Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 11:12:46 GMT gcusello 2017-01-04T11:12:46Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218367#M64168 <P>Dear Experts,</P> <P>We are looking for a search where we can find new hosts that are sending logs to Splunk. I am stuck and don't know where to start.</P> <P>Any help. Thanks in advance</P> Wed, 04 Jan 2017 11:03:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218367#M64168 sumitkathpal 2017-01-04T11:03:44Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218368#M64169 <P>hi sumitkathpal,<BR /> You can see which hosts are sending logs to Splunk with this simple search:</P> <PRE><CODE>index=_internal </CODE></PRE> <P>If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:</P> <PRE><CODE>index=_internal NOT [ | inputlookup my_hosts.csv | fields host ] </CODE></PRE> <P>in this way you can find if an host is or not in your lookup.<BR /> Bye.<BR /> Giuseppe</P> Wed, 04 Jan 2017 11:12:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218368#M64169 gcusello 2017-01-04T11:12:46Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218369#M64170 <P>You could try this if you just want to show those new hosts that have reported for the first time since yesterday:</P> <PRE><CODE>| metadata type=hosts index=_* OR index=* | where firstTime &gt;= relative_time(now(), "-1d") | convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime | table host, firstTime, lastTime, recentTime, Count </CODE></PRE> <P>Simply modify the relative_time parameters to match your time range needs.</P> Wed, 04 Jan 2017 11:18:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218369#M64170 javiergn 2017-01-04T11:18:51Z https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218370#M64171 <P>Hi,</P> <P>Did any of the answers below help you?<BR /> If so, could you please mark it as answered so that we can close the thread?</P> <P>Thanks,<BR /> J</P> Thu, 26 Jan 2017 20:57:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-find-new-hosts-that-are-sending-logs-to/m-p/218370#M64171 javiergn 2017-01-26T20:57:08Z