Splunk Cloud

Searching all hosts in an index for count

verifi81
Path Finder

Hello folks,

I have about 20 hosts that fall under index=devices

I need a query that will display the count information for each host, once over a 24 hour period. 
My intention is to use this to set an alert so that if a host does not have any count in 24 hours, it will send an alert. 

What query would work best for this? 

Labels (1)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

This will get you the daily counts.

index=devices | bin _time span=1d | stats count by _time host

However, if a host has no events, it will not show up. Ways around this include using lookups to retrieve all the valid hosts from a file or key store, or use a longer time frame to retrieve (and possibly dedup) the hosts so you can see if they had event in the time frame of interest.

View solution in original post

0 Karma

ITWhisperer
Ultra Champion

This will get you the daily counts.

index=devices | bin _time span=1d | stats count by _time host

However, if a host has no events, it will not show up. Ways around this include using lookups to retrieve all the valid hosts from a file or key store, or use a longer time frame to retrieve (and possibly dedup) the hosts so you can see if they had event in the time frame of interest.

View solution in original post

0 Karma