Solved: Re: Count hosts in cisco:ios source type

eholz1 · ‎02-14-2023

Hello All,

I am using the Splunk Cisco TA plugin to get all kinds of data from the cisco devices reporting to splunk. I am sending the cisco logs direct from the cisco host to splunk. Is there a way to get the host only out of a search?, I mean without the events per host. Just the deduped hosts using "sourcetype="cisco:ios" in the search field for a given time span (24hrs, 30 days, etc). it would be nice to get the accurate count of hosts sending data to the indexer.

thanks,

Eholz`

richgalloway · ‎02-14-2023

That sounds like a job for the stats command. For speed, use tstats.

| tstats count where index=* host=* sourcetype="cisco:ios" by host

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-14-2023

That sounds like a job for the stats command. For speed, use tstats.

| tstats count where index=* host=* sourcetype="cisco:ios" by host

---
If this reply helps you, Karma would be appreciated.

eholz1 · ‎02-17-2023

Hello richgalloway,

Thanks again for the response, an excellent search term. I wish I had thought of using tstats.

Thanks again

eholz1

nyc_jason · ‎02-17-2023

You can also add | fields - count to Richard's tstats, to be left with just the host field.

eholz1 · ‎02-17-2023

Hello nyc_jason,

Kudos all around. Thank you for taking the time to reply to my question. For once I learned

more about Splunk and the ART of search stings and SPL You both gave me a mini-lesson in searching.

Thanks,

eholz1

How to count hosts in cisco:ios source type?

search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases