Re: Need help with an SPL to check an Index to see...

SamHTexas · ‎01-28-2022

I work in a large environment, Splunk Ent + ES ( SH & Indexer clustered). I need to see what network servers are viewed / contained / monitored in any of indexes. Any help / SPLs are much appreciated.

PickleRick · ‎01-28-2022

And how would you want to distinguish those servers? Let's assume that you have several dozens of servers, each writing events via syslog to a central server from which you read those events from a file.

Your source is /var/log/whatever.log since it's read from a file. Your devices are dumb and cannot send FQDN as hostname so they only all send "router1" as name.

How would you go about deciding how many router1's are there?

It can be done in some particular cases, but in many cases - no.

Of course you can list sources or hosts from each index (that's trivial to do) but there's nothing except good practice and convention that would guarantee that such list would be complete and reliable.

SamHTexas · ‎01-28-2022

I appreciate your help. I would like to see the list of servers's name ( machine names). I believe this list of servers would show that they are being monitored correct? So, is there a SPL you may share that would show mw this list of servers? We do have about 100 indexes. Thanks buddy.

SinghK · ‎01-28-2022

Index =*|stats count by host

Need help with an SPL to check an Index to see list of servers it contains. Thx a million

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?