Re: Report Showing How Many Hosts Per Index

aferone · ‎05-16-2013

I have been trying, but I can't get it to work.

I basically want a table that shows the index in Column A, and how many hosts are in that index in Column B. How would I go about this?

Thanks!

FrankVl · ‎05-31-2018

Was tstats invented after 2013, or did everyone just forget about that?

Just do a:

| tstats dc(host) where index=* by index

jpgordon · ‎05-31-2018

Old thread, but I figured out a way to do this with metadata.

And you just keep appending until you get all the indexes you wanted.
Kind of wonky, but it's fast.

varad_joshi · ‎08-19-2016

index=* | stats values(host) by index

This would also work but then it actually searches all the indexes for all the time. Well if that's what you want then this will work.

aferone · ‎05-16-2013

| metadata type=hosts index= | stats count by host

I can get a list of hostnames using this query. Is there a way to get the table I am looking for with this metadata?

chris · ‎05-20-2013

I don't think so ... but maybe someone will come up with a creative solution

chris · ‎05-16-2013

You could try this over all time, but it can take a long time:

| metasearch | stats dc(host) by index

aferone · ‎05-16-2013

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

bmacias84 · ‎05-16-2013

@aferone,

Try this. keep in mind you are searching all event and indexs with this query.



index=* | dedup host, index | table index, host

Hope this helps or gets you started. Dont forget to accept and vote answers that help.

Cheers.

aferone · ‎05-16-2013

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

bmacias84 · ‎05-16-2013

what does your search currently look like?

Report Showing How Many Hosts Per Index