how do i find where each hosts are indexing data

ranjitbrhm1 · ‎03-31-2018

the reason for this is because someone made a mix-up on the UF and then some hosts are indexing to the wrong index. Is there an easy way to find the Index to which each hosts are indexing different data?

gcusello · ‎04-01-2018

Hi ranjitbrhm1,
try something like this:

| metasearch index=*
| stats values(indexes) AS indexes count by host

In this way you have all the indexes for each host.

To correct errors, it could be useful to have also sources, so you can intervene:

| metasearch index=*
| stats values(sources) AS sources count BY host index

To have all the sources when some host logs are archived.

Have an Happy Easter.
Bye.
Giuseppe

niketn · ‎03-31-2018

You can use either tstats or metadata command on your index to get stats by host

| tstats count where index="<yourIndexName>" by host

Or

| metadata type=hosts where index="<yourIndexName>"
| fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| table host firstTime lastTime totalCount

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

how do i find where each hosts are indexing data

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?