Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to list all hosts and sourcetypes of all indexes quickly

bestSplunker
Contributor
‎04-08-2018 08:31 PM

I want to list all sourcetypes and hosts of indexes.

if i do :

|metadata type=hosts where index=*

can only list hosts.

if i do

|metadata type=sourcetypes where index=*

can only list sourcetypes

if i do:


index=* |stats values(host) by sourcetype

the search is very slowly

I want the result:

fistTime         Sourcetype        Host                    lastTime         recentTime        totalCount 

1522967692        nginx         192.168.1.2                 152340603        1523243447        29125

Each host and source type are corresponding

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-08-2018 09:15 PM

@bestSplunker, you can use query like the following (depending on what access you have for indexes):

|  tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index="_*" by host sourcetype
|  fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
|  fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")

The above gets the stats for all internal Splunk indexes using index="_*".

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-08-2018 09:15 PM

@bestSplunker, you can use query like the following (depending on what access you have for indexes):

|  tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index="_*" by host sourcetype
|  fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
|  fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")

The above gets the stats for all internal Splunk indexes using index="_*".

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

hunderliggur
Path Finder
‎09-04-2019 03:45 PM

Add index at the end of line 1 and you will have a more complete picture if that is what you are looking for.

0 Karma
Reply
Solved! Jump to solution

gaurav_maniar
Builder
‎09-04-2019 02:53 PM

Hi,

I have query related to tstats, can you please check below question,
https://answers.splunk.com/answers/770370/how-to-get-tstats-results-independent-of-time-rang.html

0 Karma
Reply
Solved! Jump to solution

bestSplunker
Contributor
‎04-09-2018 05:57 PM

Thank you for your reply, this is a best answer.

Reply
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...