Splunk Enterprise

Finding hosts in spulnk

Mukunda7
Explorer

So we have a task to find all the hosts in our splunk enterprise. We need to take the list and what type of logs we are getting from that hosts.

How can we do that easily?

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

It all depends on what you mean by "all hosts" but in general - unless you have a very well organized environment, you might have problems with that.

Why? Because splunk as such doesn't much care about the metadata - it's up to you and your apps to make it reasonable.

For example - if you have a UDP:514 input receiving syslog events and you receive events from ten different hosts which are misconfigured and are sending "localhost" as their name, splunk will probably parse the host field as "localhost" from the event contents and the source by default would be set to "udp:514". It doesn't tell you much, does it?

There's no "automatic" additional metadata that splunk captures - like source IP for network connections.

So even though you might list metadata about all your events (list all your sources, hosts and sourcetypes) it still might not correspond directly to your physical environment.

0 Karma

Mukunda7
Explorer

Got your point but what we are looking is from which servers we are mainly getting data for last 30 days. can we find that ?

so that we can list those important servers and will blocklist the remaining.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As I wrote, earlier - you can list what you have in indexes. Just do

| tstats count where index=* by index,source,sourcetype

 and you're all set.

It's just that you might end up with data which tells you absolutely nothing.

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@Mukunda7 

| metadata type=hosts index=* | fields host

index=* is not a great search you can limit it if you know the index name.

---

Hope it helps!

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...