Getting Data In

Number of hosts over time

hartfoml
Motivator

I am looking for a good way to show the number of host that are sending log files to splunk over time

I can use timechart but how do I count uniq host names and from what index. I tried _internal for the metrics and summary but when i use uniq or dedup it kills my timchart function.

How to get the number for each day over a 30 day????

I tried this:

index=_internal hostname="*" component="Metrics" | timechart span=d count(uniq hostname)

But that's not right. anyone know the right way??

Tags (1)
0 Karma
1 Solution

BobM
Builder

This will give what you want.

index=_internal per_host_thruput | timechart span=1d dc(series) as hosts

dc is short for distinct count and series contains the host name in the per_host group

View solution in original post

BobM
Builder

This will give what you want.

index=_internal per_host_thruput | timechart span=1d dc(series) as hosts

dc is short for distinct count and series contains the host name in the per_host group

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...