Deployment Architecture

To check newely added host

Gayathirik
Path Finder

Hi,

How to check if the host are getting added newly over a week.

If there are any host that are getting over a week by week it should be shown and triggered with an alert

Tags (1)
0 Karma
1 Solution

inventsekar
Ultra Champion

Hi Gayathiri, please try this query..

if you want to query date wise, lets say, new hosts added last week, then -
tested and working fine..

  | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
  | where firstTime > SevenDaysBack 
  | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
  | table host, hostAdded | sort hostAdded

alt text

View solution in original post

0 Karma

mrtolu6
Path Finder

Try this
| metadata type=hosts index=_* OR index=* | where firstTime >= relative_time(now(), "-7d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, count index

0 Karma

inventsekar
Ultra Champion

Hi Gayathiri, please try this query..

if you want to query date wise, lets say, new hosts added last week, then -
tested and working fine..

  | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
  | where firstTime > SevenDaysBack 
  | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
  | table host, hostAdded | sort hostAdded

alt text

0 Karma

Gayathirik
Path Finder

This query gives the list of all host that are communicated past 7 days which included the host that are not added in the past 7 days instead all host that were available earlier as well.

I just want the host that are added newly for the last 7 days.

Thanks!!

0 Karma

inventsekar
Ultra Champion

Hi, on some posts, they suggested this metadata command.. but after doing some more research on this, the metadata firstTime seems not accurate.

checking for regarding this topic, will update soon..

For your ref, here is Somesoni's observation of metadata command in Splunk 6.2.2

1) The metadata command does respect time range picker (you can see the firstTime and totalCount values will get change between last 15 min to last 30 days, again data has to be available. It may not work on data but the buckets)
2) The metadata command has categories (Type parameter) as hosts/sources/sourcetype and generally for larger number of these categories would required metadata data command to parse more buckets to get the information, hence wouldn't be efficient. I've see it working fine for my 30,000 hosts (retention period 1 year), so I do believe it should work for 1000 sourcetypes provided the number of buckets scanned is reasonable.
3) The metadata command does work like search and it should report the lastTime and recentTime correctly with totalCount and firstTime can be incorrect, as it's not scanning though oldest buckets (my guess is that Splunk finalizes the search after certain memory limit is reached).
4) Restricting the metadata search to one index would definitely help, but again it depends on the content of the index (I had 53 index, with 1 indexes containing 70% of data, so it may not work for that particular index).

https://answers.splunk.com/answers/294791/accuracy-of-metadata-command-in-large-environments.html

0 Karma

Gayathirik
Path Finder

Is there any other way that we can find out the newly added host without "metadata"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...