Getting Data In

Anyone have a good search to compare todays hosts against yesterdays?

Builder

All,

I'd just like a report sent to me daily of list hosts names appearing in Splunk in the last 24 hours.

Guessing I have to search metadata twice and then diff them, but through someone might have an app or a search that does this already? No sense in reinventing the wheel. Basically just want a highly level of host name of what joined Splunk while I was out.

0 Karma

SplunkTrust
SplunkTrust

Hi daniel333,

give this a try:

| tstats dc(host) AS yesterday WHERE index=* earliest=-1d@d latest=-0d@d 
| append 
    [| tstats dc(host) AS today WHERE index=* earliest=@d latest=now ] 
| stats max(*) AS * 
| where yesterday != today

This will be lightning fast and only shows a result if the count of the hosts of yesterday and today is different.

Hope this helps ...

cheers, MuS

PS: the append is not a problem here as ling as you don't expect more than 50K hosts 😉

Update : this search will return the host[s]* that don't have events for both days:

| tstats dc(host) AS count WHERE index=* earliest=-1d@d latest=now by host _time span=1d 
| stats sum(count) AS total by host 
| where total != 2
0 Karma

Champion

doesn't dc() just return a single number?

0 Karma

SplunkTrust
SplunkTrust

Yes, it does and it looks like the question can be understood in multiple ways. I updated the answer to provide an example that will list the missing/different host[s]*

cheers, MuS

0 Karma

Champion

an app for this looks difficult to find. As far as the search is concerned, instead of searching twice why not use timewrap?

0 Karma