Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Query to return all forwarder versions and the las...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
05-05-2016
09:07 AM
Please provide a query that will show me the version of my forwarders and when they last shipped me data.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
05-05-2016
09:10 AM
index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log
| stats latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build by hostname
| join hostname [ | metadata type=hosts index=*
| eval last_seen_hours=(now()-lastTime)/60/60
| table host, last_seen_hours
| rex field=host "(?<hostname>[^\.]+)" | fields - host ]
This removes the domain component of hostname to ensure a match between metrics and metadata host value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
05-05-2016
09:10 AM
index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log
| stats latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build by hostname
| join hostname [ | metadata type=hosts index=*
| eval last_seen_hours=(now()-lastTime)/60/60
| table host, last_seen_hours
| rex field=host "(?<hostname>[^\.]+)" | fields - host ]
This removes the domain component of hostname to ensure a match between metrics and metadata host value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
05-05-2016
09:59 AM
Curious about your use of dedup and table vs stats. With this snippet replacing that section of your search:
| stats latest(version) as version latest(arch) as arch latest(os) as os latest(build) as build by hostname
| rex field=hostname "(?<hostname>[^\.]+)"
... the search takes about 15% less time for me. Not a huge savings, for sure, but still.
Any advantage to using depup + table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the_wolverine
Champion
05-05-2016
11:07 AM
Yep thanks for the reminder. I normally use stats and have updated the query. I came up with the query this morning and post it on answers as a future reference for myself and others.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
