How to get the count of forwarders that are report...

yu94 · ‎11-25-2016

Hi Splunkers,

I want to get the count of forwarders that are reporting from each application/Workspace.

Example: I have created 4 apps/workspace for 4 different teams.
So now I want to get the count of forwarders that are reporting from each application/Workspace

Is there any search which can give me the above information in a single search ?

Thanks in advance,
Thippesh

gcusello · ‎11-26-2016

Hi yu94,
you could create a lookup with your application/Workspace (es. AppWork.csv) in which there are indexes or sourcetypes or another field that is unique used in your applications, something like this:

App Index Sourcetype
App1 index1 sourcetype1
App1 Index1 sourcetype2
App2 index2 sourcetype3
...

and then (using sourcetype) run a search like this

| inputlooup AppWork.csv 
| eval count=0 
| append [ index=* | stats count by sourcetype]
| stats sum(count) AS Total by sourcetype
| lookup AppWork.csv sourcetype OUTPUT App
| stats values(sourcetype) AS sourcetype sum(Total) AS Total by App

You could limit your results inserting in the sub-search the correct indexes (I don't know them) and (if you have other sourcetypes than the lookup) eventually filter sub-search by your lookup:

| inputlooup AppWork.csv 
| eval count=0 
| append 
     [ index=*  [  | inputlooup AppWork.csv | dedup sourcetype | fields sourcetype]
     | stats count by sourcetype
     ]
| stats sum(count) AS Total by sourcetype
| lookup AppWork.csv sourcetype OUTPUT App
| stats values(sourcetype) AS sourcetype sum(Total) AS Total by App

Bye.
Giuseppe

How to get the count of forwarders that are reporting from each application/Workspace?

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!