How can I retrieve the number of all windows hosts...

Steppyyy · ‎10-13-2022

Hello everyone,

As i written in title, i started using Splunk recently. I would like to know if someone could help me:

I have created a dashbord for analyze windows events. I have a query like this:

index=windows sourcetype in (...) EventCode=* | stats count by EventCode

Using this search, i get a table with in a column the EventCode, and in the other column i have the count of how many times that specific eventcode has "appeared". And so far everything is fine.

How can i retrieve the number of all windows hosts? I can't figure it out, i'm trying in a lot of ways but nothing

Thnks for the help

richgalloway · ‎10-13-2022

Counting hosts is similar to counting event codes.

index=windows sourcetype IN (...) | stats distinct_count(host)

I left out the EventCode field since that has no bearing on the number of hosts. The distinct_count function counts the number of unique values rather counting all hosts every time they appear.

There's a faster query that uses tstats.

| tstats dc(host) where index=windows sourcetype IN (...)

The tstats command is much faster because it looks at metadata rather than raw events. dc is a synonym for distinct_count.

---
If this reply helps you, Karma would be appreciated.

How can I retrieve the number of all windows hosts from my search?

administration

Analytics Workspace

using Splunk Enterprise

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes