topic Re: Active computers reporting to splunk last 30 days in Splunk Search

Active computers reporting to splunk last 30 days

cyler — Thu, 05 Apr 2018 18:34:44 GMT

I would like to know how to search for all computers that are reporting to Splunk in the last 30 day.

Thank you

Re: Active computers reporting to splunk last 30 days

skulk — Thu, 05 Apr 2018 18:40:38 GMT

Hi,

You should ru search like this one (set time-range picker for last 30 days):

index=* | stats count by host

This search will show you all hosts and number of events from each other.

Re: Active computers reporting to splunk last 30 days

adonio — Thu, 05 Apr 2018 18:40:47 GMT

many ways to go about it ...
try this |metadata type=hosts
see the output of the command and start exploring ...
heres a link to the doc that has more elaborated examples:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Metadata
hope it helps

Re: Active computers reporting to splunk last 30 days

elliotproebstel — Thu, 05 Apr 2018 18:41:45 GMT

You could try these:

| tstats latest(_time) AS latest where index=* by host

or
| metadata type=hosts
Either should work.

Re: Active computers reporting to splunk last 30 days

cyler — Fri, 06 Apr 2018 14:12:33 GMT

Forgive my being naive - Here is what result I get back

Re: Active computers reporting to splunk last 30 days

cyler — Fri, 06 Apr 2018 14:14:08 GMT

index=my_index* | metadata type=hosts

Error in 'metadata' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Re: Active computers reporting to splunk last 30 days

adonio — Fri, 06 Apr 2018 14:22:58 GMT

please read the doc
metadata is a generating command has to be first
no need for index = something before
place this in your searchbae literally |metadata type=hosts

Re: Active computers reporting to splunk last 30 days

DalJeanis — Fri, 06 Apr 2018 15:02:27 GMT

get rid of everything before the first pipe