topic Re: How to search for newly added hosts? in Splunk Search

How to search for newly added hosts?

Gayathirik — Fri, 28 Oct 2016 10:05:42 GMT

we have some new hosts added in our instance. we need to built a search to check for newly added hosts.

We have used the below search but that is giving all the hosts that have communicated in the past 7 days rather than the ones that are newly added.

   | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
   | where firstTime > SevenDaysBack 
   | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
   | table host, hostAdded | sort hostAdded

Also metadata does not go well with timerange picker. the above search is not taking the time range as well.

Is there any other way that we can find a solution to this?

Regards,
Gayathiri K

Re: How to search for newly added hosts?

inventsekar — Fri, 28 Oct 2016 10:10:22 GMT

i was checking this metadata, metasearch and dbinspect, plain search queries.. but still no luck.

one thought - you want to find out all hosts recently(last 7 days) added
or,
do you have a host name or list of hosts, and you want to find out their date added to splunk?

Re: How to search for newly added hosts?

TStrauch — Fri, 28 Oct 2016 11:05:59 GMT

Hi,

i think you should take a look at this answer post. Its a smart solution for your problem by creating a little lookup file.

https://answers.splunk.com/answers/422889/how-to-search-for-newly-added-servers-by-comparing.html

kind regards

Re: How to search for newly added hosts?

Gayathirik — Fri, 28 Oct 2016 12:17:52 GMT

we need to find out all the new host that are added recently and not their date.

Re: How to search for newly added hosts?

inventsekar — Fri, 28 Oct 2016 12:29:31 GMT

sorry, not getting you.. you need to find out recently added hosts meaning, you wanted to know the date of the hosts added to splunk, right

Re: How to search for newly added hosts?

Gayathirik — Wed, 02 Nov 2016 09:45:25 GMT

for example if we have 200 host and say 2 new host are added in a week,i would want to check only those 2 newly added host.

Re: How to search for newly added hosts?

colinmchugo — Wed, 15 Mar 2017 15:30:46 GMT

Any luck with the answer to this lads? I am looking to alert on any new domains that have not been seen before i.e new domains being hit i want a splunk alert for this. thanks C.

Re: How to search for newly added hosts?

colinmchugo — Wed, 15 Mar 2017 15:38:14 GMT

Any result lads? Id like an answer to this one too cheers.

Re: How to search for newly added hosts?

DalJeanis — Wed, 15 Mar 2017 18:12:53 GMT

see the linked answer. https://answers.splunk.com/answers/422889/how-to-search-for-newly-added-servers-by-comparing.html