Splunk Search

Active computers reporting to splunk last 30 days

cyler
New Member

I would like to know how to search for all computers that are reporting to Splunk in the last 30 day.

Thank you

Tags (4)
0 Karma

cyler
New Member

Forgive my being naive - Here is what result I get back

alt text

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

get rid of everything before the first pipe

0 Karma

elliotproebstel
Champion

You could try these:

| tstats latest(_time) AS latest where index=* by host

or
| metadata type=hosts
Either should work.

0 Karma

adonio
Ultra Champion

many ways to go about it ...
try this |metadata type=hosts
see the output of the command and start exploring ...
heres a link to the doc that has more elaborated examples:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Metadata
hope it helps

0 Karma

cyler
New Member

index=my_index* | metadata type=hosts

Error in 'metadata' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

0 Karma

adonio
Ultra Champion

please read the doc
metadata is a generating command has to be first
no need for index = something before
place this in your searchbae literally |metadata type=hosts

0 Karma

skulk
Explorer

Hi,

You should ru search like this one (set time-range picker for last 30 days):

index=* | stats count by host

This search will show you all hosts and number of events from each other.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...