Reporting

Report Showing How Many Hosts Per Index

Builder

I have been trying, but I can't get it to work.

I basically want a table that shows the index in Column A, and how many hosts are in that index in Column B. How would I go about this?

Thanks!

Tags (3)

Ultra Champion

Was tstats invented after 2013, or did everyone just forget about that?

Just do a:

| tstats dc(host) where index=* by index

New Member

Old thread, but I figured out a way to do this with metadata.

| metadata type=hosts index=main | stats count AS "Host Count" | eval "Source Index"="main"
| append [ | metadata type=hosts index=other | stats count AS "Host Count" | eval "Source Index"="other"
| table "Source Index","Host Count"

And you just keep appending until you get all the indexes you wanted.
Kind of wonky, but it's fast.

0 Karma

Communicator

index=* | stats values(host) by index

This would also work but then it actually searches all the indexes for all the time. Well if that's what you want then this will work.

0 Karma

Builder

| metadata type=hosts index= | stats count by host

I can get a list of hostnames using this query. Is there a way to get the table I am looking for with this metadata?

Motivator

I don't think so ... but maybe someone will come up with a creative solution

0 Karma

Motivator

You could try this over all time, but it can take a long time:

| metasearch | stats dc(host) by index

Builder

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

0 Karma

Champion

@aferone,

Try this. keep in mind you are searching all event and indexs with this query.


index=* | dedup host, index | table index, host

Hope this helps or gets you started. Dont forget to accept and vote answers that help.

Cheers.

0 Karma

Builder

I was hoping for something quicker, like in metadata. Searching every record just isn't feasible. But thanks!

0 Karma

Champion

what does your search currently look like?

0 Karma