Deployment Architecture

To check newely added host

Gayathirik
Path Finder

Hi,

How to check if the host are getting added newly over a week.

If there are any host that are getting over a week by week it should be shown and triggered with an alert

Tags (1)
0 Karma
1 Solution

inventsekar
Super Champion

Hi Gayathiri, please try this query..

if you want to query date wise, lets say, new hosts added last week, then -
tested and working fine..

  | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
  | where firstTime > SevenDaysBack 
  | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
  | table host, hostAdded | sort hostAdded

alt text

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.

View solution in original post

0 Karma

mrtolu6
Path Finder

Try this
| metadata type=hosts index=_* OR index=* | where firstTime >= relative_time(now(), "-7d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, count index

0 Karma

inventsekar
Super Champion

Hi Gayathiri, please try this query..

if you want to query date wise, lets say, new hosts added last week, then -
tested and working fine..

  | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
  | where firstTime > SevenDaysBack 
  | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
  | table host, hostAdded | sort hostAdded

alt text

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

Gayathirik
Path Finder

This query gives the list of all host that are communicated past 7 days which included the host that are not added in the past 7 days instead all host that were available earlier as well.

I just want the host that are added newly for the last 7 days.

Thanks!!

0 Karma

inventsekar
Super Champion

Hi, on some posts, they suggested this metadata command.. but after doing some more research on this, the metadata firstTime seems not accurate.

checking for regarding this topic, will update soon..

For your ref, here is Somesoni's observation of metadata command in Splunk 6.2.2

1) The metadata command does respect time range picker (you can see the firstTime and totalCount values will get change between last 15 min to last 30 days, again data has to be available. It may not work on data but the buckets)
2) The metadata command has categories (Type parameter) as hosts/sources/sourcetype and generally for larger number of these categories would required metadata data command to parse more buckets to get the information, hence wouldn't be efficient. I've see it working fine for my 30,000 hosts (retention period 1 year), so I do believe it should work for 1000 sourcetypes provided the number of buckets scanned is reasonable.
3) The metadata command does work like search and it should report the lastTime and recentTime correctly with totalCount and firstTime can be incorrect, as it's not scanning though oldest buckets (my guess is that Splunk finalizes the search after certain memory limit is reached).
4) Restricting the metadata search to one index would definitely help, but again it depends on the content of the index (I had 53 index, with 1 indexes containing 70% of data, so it may not work for that particular index).

https://answers.splunk.com/answers/294791/accuracy-of-metadata-command-in-large-environments.html

PS ... If any post helped you in any way, pls give a hi-five to the author with an upvote. if your issue got resolved, please accept the reply as solution.. thanks.
0 Karma

Gayathirik
Path Finder

Is there any other way that we can find out the newly added host without "metadata"

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...