Reporting

Report Showing How Many Hosts Per Index

aferone
Builder

I have been trying, but I can't get it to work.

I basically want a table that shows the index in Column A, and how many hosts are in that index in Column B. How would I go about this?

Thanks!

Tags (3)

FrankVl
Ultra Champion

Was tstats invented after 2013, or did everyone just forget about that?

Just do a:

| tstats dc(host) where index=* by index

jpgordon
New Member

Old thread, but I figured out a way to do this with metadata.

| metadata type=hosts index=main | stats count AS "Host Count" | eval "Source Index"="main"
| append [ | metadata type=hosts index=other | stats count AS "Host Count" | eval "Source Index"="other"
| table "Source Index","Host Count"

And you just keep appending until you get all the indexes you wanted.
Kind of wonky, but it's fast.

0 Karma

varad_joshi
Communicator

index=* | stats values(host) by index

This would also work but then it actually searches all the indexes for all the time. Well if that's what you want then this will work.

0 Karma

aferone
Builder

| metadata type=hosts index= | stats count by host

I can get a list of hostnames using this query. Is there a way to get the table I am looking for with this metadata?

chris
Motivator

I don't think so ... but maybe someone will come up with a creative solution

0 Karma

chris
Motivator

You could try this over all time, but it can take a long time:

| metasearch | stats dc(host) by index

aferone
Builder

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

0 Karma

bmacias84
Champion

@aferone,

Try this. keep in mind you are searching all event and indexs with this query.


index=* | dedup host, index | table index, host

Hope this helps or gets you started. Dont forget to accept and vote answers that help.

Cheers.

0 Karma

aferone
Builder

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

0 Karma

bmacias84
Champion

what does your search currently look like?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...