Hosts added to Splunk instance

kiran_mh · ‎10-20-2016

Hi,

How to get list of hosts added to our splunk instance in the past week?

Thanks in Advance

neelshah · ‎11-18-2016

This Query will give you All host sending data in last 7 days

index=* earliest=-7d@d latest=now() | stats count by index, host, source, sourcetype

This Query will give you all Host sending data in before 7 days

index=* latest=-7d@d | stats count by index, host, source, sourcetype

Try comparing both will give you new hosts added this week

lguinn2 · ‎10-22-2016

What is the criteria for determining "added in the last week?" What if a host was sending data to Splunk a month ago and then stopped sending data for several weeks, and is now sending data again? You need to be a bit more precise about what you want.

Also, what is your definition of "host?" Do you want to go by the host field that users see when they search, or the host names that the forwarders use to identify themselves in the internal logs?

kiran_mh · ‎11-18-2016

Hi lguinn,

"added in the last week" refers to hosts that are added in the past week irrespective of they are sending data or not, the very first existence of the host in the splunk instance.

In our instance host refers to the names in the host field that users can see....

Hosts added to Splunk instance

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk