Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I see all Hosts?

philrego
Path Finder
‎07-29-2019 10:28 AM

It's only showing "Top 10 Values" for some reason.

Tags (1)
0 Karma
Reply

chinmoya
Communicator
‎07-29-2019 11:27 PM

Try this

| tstats values(host) where index=* earliest=0

Above will give you a multivalue field. Personally, I prefer the below

| tstats count where index=* earliest=0 by host

0 Karma
Reply

jacobpevans
Motivator
‎07-29-2019 11:21 AM

To add to @PowerPacked 's correct answer, I am assuming you are seeing this in the "Selected Fields" sidebar. If so, click "host" there, "Top values", then ensure you have "limit=0" as a parameter to the top command, e.g.:

< your base search >
| top limit=0 host

If you only want to see all hosts, the fastest way to do that is with this search (tstats is extremely efficient):

| tstats values(host)
Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply

philrego
Path Finder
‎07-29-2019 08:43 PM

| top limit=0 host
worked but
| tstats values(host)
only entering that in the search showed a bunch of hosts i've never seen and couldn't open at all.

0 Karma
Reply

jacobpevans
Motivator
‎07-30-2019 06:17 AM

I'm not following when you say you "couldn't open at all". The tstats command quickly looks at certain fields such as index, host, and _time stored separately from the raw data. Here's another version of the command that will also show the last time data was reported for each index (building on @chinmoya 's answer):

| tstats count latest(_time) as _time by host

Finally, this is how you would get all events if you are unfamiliar with a specific host. Be sure you run the command with the same time-frame as the previous search.

index=* host=[host_XYZ]

If you're still having trouble, I highly recommend taking the free ~5-hour Splunk Fundamentals I training. You can find more information here: https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply

philrego
Path Finder
‎07-30-2019 06:34 AM

Means when you click on the hosts and click "View events" or one of the other options. It opens another tab and immediately closed. | tstats values(host) only shows 100 hosts and none are the ones I use. Same thing with | tstats count latest(_time) as _time by host. Cant click on the results and it doesn't show the hosts I use.

0 Karma
Reply

philrego
Path Finder
‎07-30-2019 06:35 AM

It returned 79,227 events. Could I possibly have that many hosts? I don't need access to more than like 30.

0 Karma
Reply

PowerPacked
Builder
‎07-29-2019 10:44 AM

Hi

You didn't properly mention where you are seeing this behavior.

you can always do stats to list all values in field --- your search | stats count by host

if you are facing issue in timechart, chart command , use this -- ----- your search | timechart count by host useother=f usenull=f

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...