I'd just like a report sent to me daily of list hosts names appearing in Splunk in the last 24 hours.
Guessing I have to search metadata twice and then diff them, but through someone might have an app or a search that does this already? No sense in reinventing the wheel. Basically just want a highly level of host name of what joined Splunk while I was out.
give this a try:
| tstats dc(host) AS yesterday WHERE index=* earliest=-1d@d latest=-0d@d | append [| tstats dc(host) AS today WHERE index=* earliest=@d latest=now ] | stats max(*) AS * | where yesterday != today
This will be lightning fast and only shows a result if the count of the hosts of yesterday and today is different.
Hope this helps ...
append is not a problem here as ling as you don't expect more than 50K hosts 😉
Update : this search will return the
host[s]* that don't have events for both days:
| tstats dc(host) AS count WHERE index=* earliest=-1d@d latest=now by host _time span=1d | stats sum(count) AS total by host | where total != 2