Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count of UF reporting by serverclass over time

hartfoml
Motivator
‎09-24-2014 08:40 AM

I can look in the _internal index on the deployment server to get this log

xxxx.xxx.xxx.xxx - - [24/Sep/2014:10:09:39.751 -0500] "POST /services/broker/phonehome/connection_X.X.X.X_8089_AnyServer.MyDomain.com_AnyServer_ServerClass HTTP/1.0" 200 1468 - - - 44ms

So I can see the Server name and the serverclass of the system. I can create a search like this:

host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count AS "Num Systems"

My problem is that for the 3 month I have over 15 million records for the phonehome log from my more than 600 systems.

Anyone know of a faster way to search for hosts connected by month to the deployment server?

0 Karma
Reply

pmdba
Builder
‎09-27-2014 07:41 PM

You should be able to use the REST interface to get what you want a little more elegantly, as was suggested to me in this answer.

0 Karma
Reply

hartfoml
Motivator
‎10-02-2014 11:07 AM

@pmdba Thanks for the sugestion. I tried this search

  | rest /services/deployment/server/clients | table clientName hostname

and this one

| rest /services/deployment/server/clients

and it returned no results over a month
I tried this one too,

|eventcount summarize=false index=* | table index | map maxsearches=1000 search="|metadata type=hosts index=$index$ | table host | eval index=\"$index$\""

and it gave me all the host that had ever recorded data to the system to any index and no time intervel to sort on or compair to last month

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-24-2014 08:56 AM

Expected result?

Client IP: count of connections?

Client IP: count of serverclasses?

0 Karma
Reply

hartfoml
Motivator
‎09-24-2014 09:00 AM

in one case I would like all servers reporting per month over time. this will show a trend of added servers.

In another case I would like number of servers by serverclass over time. each server class is an operational origination. this will show which org is putting in the most systems over time.

0 Karma
Reply

hartfoml
Motivator
‎09-24-2014 08:42 AM

sorry if I do this I can get a count by serverclass

host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count by serverclass

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...