Knowledge Management

how to list all hosts and sourcetypes of all indexes quickly

bestSplunker
Contributor

I want to list all sourcetypes and hosts of indexes.

if i do :

|metadata type=hosts where index=*

can only list hosts.

if i do

|metadata type=sourcetypes where index=*

can only list sourcetypes

if i do:


index=* |stats values(host) by sourcetype

the search is very slowly

I want the result:

fistTime         Sourcetype        Host                    lastTime         recentTime        totalCount 

1522967692        nginx         192.168.1.2                 152340603        1523243447        29125

Each host and source type are corresponding

Tags (1)
0 Karma
1 Solution

niketn
Legend

@bestSplunker, you can use query like the following (depending on what access you have for indexes):

|  tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index="_*" by host sourcetype
|  fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
|  fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")

The above gets the stats for all internal Splunk indexes using index="_*".

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@bestSplunker, you can use query like the following (depending on what access you have for indexes):

|  tstats count as totalCount earliest(_time) as firstTime latest(_time) as lastTime where index="_*" by host sourcetype
|  fieldformat firstTime=strftime(firstTime,"%Y/%m/%d %H:%M:%S")
|  fieldformat lastTime=strftime(lastTime,"%Y/%m/%d %H:%M:%S")

The above gets the stats for all internal Splunk indexes using index="_*".

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

hunderliggur
Path Finder

Add index at the end of line 1 and you will have a more complete picture if that is what you are looking for.

0 Karma

gaurav_maniar
Builder

Hi,

I have query related to tstats, can you please check below question,
https://answers.splunk.com/answers/770370/how-to-get-tstats-results-independent-of-time-rang.html

0 Karma

bestSplunker
Contributor

Thank you for your reply, this is a best answer.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...