Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how do i find where each hosts are indexing data

ranjitbrhm1
Communicator
‎03-31-2018 05:05 AM

the reason for this is because someone made a mix-up on the UF and then some hosts are indexing to the wrong index. Is there an easy way to find the Index to which each hosts are indexing different data?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-01-2018 01:46 AM

Hi ranjitbrhm1,
try something like this:

| metasearch index=*
| stats values(indexes) AS indexes count by host

In this way you have all the indexes for each host.

To correct errors, it could be useful to have also sources, so you can intervene:

| metasearch index=*
| stats values(sources) AS sources count BY host index

To have all the sources when some host logs are archived.

Have an Happy Easter.
Bye.
Giuseppe

0 Karma
Reply

niketn
Legend
‎03-31-2018 09:51 AM

You can use either tstats or metadata command on your index to get stats by host

| tstats count where index="<yourIndexName>" by host

Or 

| metadata type=hosts where index="<yourIndexName>"
| fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")
| table host firstTime lastTime totalCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...