Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I search for a list of all 50 hosts on my network with the most recent date it was powered on?

imagecartel
Explorer
‎08-23-2017 06:33 AM

Instead of typing in each host one by one in the data field to see when it was last updated, is there a way to run a command search to show me, lets say, all 50 hosts on my network with the last date it was powered on and talked to the gateway/router/network? I want to be able to quickly find all machines that have not been turned on in a while to see if those machines are standalone or machines that are no longer used and can be removed. Is there an event code for sourcetype=network IP access?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-23-2017 12:37 PM

Try something like this...

 | metadata type=hosts  | rename lastTime AS _time | fields _time host | search [| inputcsv myhosts.csv | table host]

To find any that are missing, you might want to add this...

 | append [| inputcsv myhosts.csv | table host | eval _time=strptime("2000-01-01","%Y-%m-%d")]
 | stats max(_time) by host
 | sort 0 _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-23-2017 12:37 PM

Try something like this...

 | metadata type=hosts  | rename lastTime AS _time | fields _time host | search [| inputcsv myhosts.csv | table host]

To find any that are missing, you might want to add this...

 | append [| inputcsv myhosts.csv | table host | eval _time=strptime("2000-01-01","%Y-%m-%d")]
 | stats max(_time) by host
 | sort 0 _time
0 Karma
Reply
Solved! Jump to solution

imagecartel
Explorer
‎08-23-2017 01:55 PM

This is what worked:
| metadata type=hosts | rename lastTime AS _time | fields _time host | search host=1 OR host=2 OR host=3 and so on

Thanks Daljeanis

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-23-2017 04:41 PM

Yes, that's what we were going for. Putting it in a csv file is usually easier for large numbers of machines (like when you have 50 of them).

The construction [| inputcsv myhosts.csv | table host] will create language that looks like this for each field host in the csv...

    ( ( host="host1" )  OR  ( host="host2" )  OR .... )

to see exactly what it looks like, do this...

 | inputcsv myhosts.csv | table host | format

...or use this run-anywhere sample... 

|makeresults | eval host=mvappend("host1","host2","host3") | mvexpand | format
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-23-2017 12:03 PM

What's your splunk search to get status of single host?

0 Karma
Reply
Solved! Jump to solution

imagecartel
Explorer
‎08-23-2017 12:21 PM

Splunk main page; Data Summary; type in host=xyz. Results show last time host was active on the network. If I have 100 host to check, is there an easier way instead of typing in 100 hosts manually in the Data Summary? Can I type in a command with inserting all host names to spit out the results they were all last active?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-23-2017 12:36 PM

You can run a search like this. 

| metadata type=hosts index=* | search [| gentimes start=-1 | host="host1 host2 host3...put all hosts space separated here.." | table host | makemv host | mvexpand host ] | table host totalCount recentTime | eval recentTime=strftime(recentTime,"%F %T") | rename host as "Host" totalCount as Count recentTime as "Last Update"
0 Karma
Reply
Solved! Jump to solution

imagecartel
Explorer
‎08-23-2017 01:21 PM

It does not like the command host in ( start=-1 | host )

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-23-2017 01:28 PM

Oops, try this (missed writing eval)

| metadata type=hosts index=* | search [| gentimes start=-1 | eval host="host1 host2 host3...put all hosts space separated here.." | table host | makemv host | mvexpand host ] | table host totalCount recentTime | eval recentTime=strftime(recentTime,"%F %T") | rename host as "Host" totalCount as Count recentTime as "Last Update"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...