Reporting

Report Showing How Many Hosts Per Index

aferone
Builder

I have been trying, but I can't get it to work.

I basically want a table that shows the index in Column A, and how many hosts are in that index in Column B. How would I go about this?

Thanks!

Tags (3)

FrankVl
Ultra Champion

Was tstats invented after 2013, or did everyone just forget about that?

Just do a:

| tstats dc(host) where index=* by index

jpgordon
New Member

Old thread, but I figured out a way to do this with metadata.

| metadata type=hosts index=main | stats count AS "Host Count" | eval "Source Index"="main"
| append [ | metadata type=hosts index=other | stats count AS "Host Count" | eval "Source Index"="other"
| table "Source Index","Host Count"

And you just keep appending until you get all the indexes you wanted.
Kind of wonky, but it's fast.

0 Karma

varad_joshi
Communicator

index=* | stats values(host) by index

This would also work but then it actually searches all the indexes for all the time. Well if that's what you want then this will work.

0 Karma

aferone
Builder

| metadata type=hosts index= | stats count by host

I can get a list of hostnames using this query. Is there a way to get the table I am looking for with this metadata?

chris
Motivator

I don't think so ... but maybe someone will come up with a creative solution

0 Karma

chris
Motivator

You could try this over all time, but it can take a long time:

| metasearch | stats dc(host) by index

aferone
Builder

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

0 Karma

bmacias84
Champion

@aferone,

Try this. keep in mind you are searching all event and indexs with this query.


index=* | dedup host, index | table index, host

Hope this helps or gets you started. Dont forget to accept and vote answers that help.

Cheers.

0 Karma

aferone
Builder

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

0 Karma

bmacias84
Champion

what does your search currently look like?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...