Getting Data In

Dynamic list of Hostname

ilyazs
Explorer

I have 2 types of log files I want to fetch dynamic list of hostnames(host) with index name

Log file1:
index,sourcetype,host,entrypost
aaa,123,10.12.13.14,text
aaa,124,10.12.13.15,text
aaa,126,10.12.13.16,text

Log file2:
index,sourcetype,host,entrypost
bbb,141,10.12.13.20,text
bbb,144,10.12.13.21,text
bbb,148,10.12.13.22,text

Suppose, if I select Index=aaa then output list
host
10.12.13.14,
10.12.13.15,
10.12.13.16,.......

if I select index=bbb then output list
host
10.12.13.20,
10.12.13.21,
10.12.13.22,..............

Eg: index=aaa sourcetype="" | eval host_name=if(index=aaa,"host=","host=*") | chart count(sourcetype) as ST by host_name

0 Karma

ilyazs
Explorer

Sample Log files
Log file1:
index,sourcetype,host,entrypost
aaa,123,10.12.13.14,text
aaa,124,10.12.13.15,text
aaa,126,10.12.13.16,text

Log file2:
index,sourcetype,host,entrypost
bbb,141,10.12.13.20,text
bbb,144,10.12.13.21,text
bbb,148,10.12.13.22,text

Expected Output: Suppose, if I select Index=aaa then output list
host
10.12.13.14,
10.12.13.15,
10.12.13.16,.......

if I select index=bbb then output list
host
10.12.13.20,
10.12.13.21,
10.12.13.22,..............

Note: host name is same in both log files

0 Karma

stephane_cyrill
Builder

can you be more explicit on what you want? what do you mean by dynamic hostname and index? can you provide a sample of the result you are expecting?

0 Karma

stephane_cyrill
Builder

HI ilyazs,
if you want list of hostnames(host) with index names ,try this:

source=logFile1 OR logFile2 |stats values(host) AS hostName values(index) AS indexName by source

i suggest you to read this:

docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Whatsinthismanual

0 Karma

ilyazs
Explorer

Hi Stephane,

This query is not working as required output.

Thanks for your suggestion, but query sample type which I want is not available in reference manual.

0 Karma
Get Updates on the Splunk Community!

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...