How to create a report that show new log sources a...

Narcisse · ‎01-09-2023

I am newbie in Splunk. I need help help creating a report to show new log sources that have been added to Splunk.

Narcisse · ‎01-25-2023

Just want to know if you have a new suggestion that will fix my error

gcusello · ‎01-09-2023

you can run a simple search like the following:

| metadata index=* earliest=-30d@d latest=now
| stats 
   earliest(_time) AS earliest 
   latest(_time) AS latest 
   values(index) AS index 
   values(host) AS host 
   BY sourcetype
| where latest-earliest<86400
| eval 
   earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), 
   latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

In this way you can check the Data arrived in the last 24 hours not present in the previous 29 days.

Ciao.

Giuseppe

Narcisse · ‎01-10-2023

Thanks for your response but I am getting these messages

Error in 'metadata': You must specify a 'type' argument to 'metadata', as in 'type=hosts'.

The search job has failed due to an error. You may be able view the job in the Job Inspector.

gcusello · ‎01-26-2023

Hi @Narcisse,

please try this:

| tstats earliest(_time) AS earliest latest(_time) AS latest values(host) AS host WHERE earliest=-30d@d latest=now BY sourcetype index
| where latest-earliest<86400
| eval 
   earliest=strftime(earliest,"%Y-%m-%d %H:%M:%S"), 
   latest=strftime(latest,"%Y-%m-%d %H:%M:%S")

Ciao.

Giuseppe

How to create a report that show new log sources added in Splunk?

report acceleration

Customer Experience | Join the Customer Advisory Board!

Observability Cloud | AWS PrivateLink Enabled for Splunk Observability Cloud

Index This | A sphere has three, a circle has two, and a point has zero. What is it?