Hosts added to Splunk instance

kiran_mh · ‎10-20-2016

Hi,

How to get list of hosts added to our splunk instance in the past week?

Thanks in Advance

neelshah · ‎11-18-2016

This Query will give you All host sending data in last 7 days

index=* earliest=-7d@d latest=now() | stats count by index, host, source, sourcetype

This Query will give you all Host sending data in before 7 days

index=* latest=-7d@d | stats count by index, host, source, sourcetype

Try comparing both will give you new hosts added this week

lguinn2 · ‎10-22-2016

What is the criteria for determining "added in the last week?" What if a host was sending data to Splunk a month ago and then stopped sending data for several weeks, and is now sending data again? You need to be a bit more precise about what you want.

Also, what is your definition of "host?" Do you want to go by the host field that users see when they search, or the host names that the forwarders use to identify themselves in the internal logs?

kiran_mh · ‎11-18-2016

Hi lguinn,

"added in the last week" refers to hosts that are added in the past week irrespective of they are sending data or not, the very first existence of the host in the splunk instance.

In our instance host refers to the names in the host field that users can see....

Hosts added to Splunk instance

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?