Dashboards & Visualizations

Tips on creating a dashboard that reports the total number of hosts in the network?

New Member

I have a search "host=192.168.68.0/23|table host |dedup host" that gives me a list of IP addresses. I would like to turn this into a dashboard item that will report the total number of hosts in this network. How can I do that?

0 Karma

The classic way:

  host=192.168.68.0/23 | stats dc(host) as host_count

A bit more advanced (and faster):

| tstats dc(host) as host_count where index=<your_index> sourcetype=<your_sourcetype> host=192.168.68.0/23
0 Karma

SplunkTrust
SplunkTrust

If you are looking for just count, this should work

<your search>|stats count by host|fields count
0 Karma

SplunkTrust
SplunkTrust

Actually if you want only the count of the number of hosts, you would have to do:

<your search> |stats count by host | stats count
0 Karma

SplunkTrust
SplunkTrust

@AJeepDude, I am not sure how your query is working. In the base search you have filtered only one host then table host should give you only one result. Can you provide the index or sourcetype for your base search?

If you have to find the total number of hosts, you should better try dbinspect which gives hostCount or metadata or tstats command specifically for such statistics. Read the documentation and based on your needs coming up with desired query should be easy.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

The search is not filtering to one host, it is a CIDR Notation.
Splunk handles CIDR notations.

All hosts with an IP address in the 192.168.68.0/23 (512 possibilities here) network should be returned!

0 Karma