Dynamic list of Hostname

ilyazs · ‎04-29-2015

I have 2 types of log files I want to fetch dynamic list of hostnames(host) with index name

Log file1:
index,sourcetype,host,entrypost
aaa,123,10.12.13.14,text
aaa,124,10.12.13.15,text
aaa,126,10.12.13.16,text

Log file2:
index,sourcetype,host,entrypost
bbb,141,10.12.13.20,text
bbb,144,10.12.13.21,text
bbb,148,10.12.13.22,text

Suppose, if I select Index=aaa then output list
host
10.12.13.14,
10.12.13.15,
10.12.13.16,.......

if I select index=bbb then output list
host
10.12.13.20,
10.12.13.21,
10.12.13.22,..............

Eg: index=aaa sourcetype="" | eval host_name=if(index=aaa,"host=","host=*") | chart count(sourcetype) as ST by host_name

ilyazs · ‎04-30-2015

Sample Log files
Log file1:
index,sourcetype,host,entrypost
aaa,123,10.12.13.14,text
aaa,124,10.12.13.15,text
aaa,126,10.12.13.16,text

Log file2:
index,sourcetype,host,entrypost
bbb,141,10.12.13.20,text
bbb,144,10.12.13.21,text
bbb,148,10.12.13.22,text

Expected Output: Suppose, if I select Index=aaa then output list
host
10.12.13.14,
10.12.13.15,
10.12.13.16,.......

if I select index=bbb then output list
host
10.12.13.20,
10.12.13.21,
10.12.13.22,..............

Note: host name is same in both log files

stephane_cyrill · ‎04-30-2015

can you be more explicit on what you want? what do you mean by dynamic hostname and index? can you provide a sample of the result you are expecting?

stephane_cyrill · ‎04-29-2015

HI ilyazs,
if you want list of hostnames(host) with index names ,try this:

source=logFile1 OR logFile2 |stats values(host) AS hostName values(index) AS indexName by source

i suggest you to read this:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

ilyazs · ‎04-30-2015

Hi Stephane,

This query is not working as required output.

Thanks for your suggestion, but query sample type which I want is not available in reference manual.

Are you a member of the Splunk Community?