Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count of UF reporting by serverclass over time

hartfoml
Motivator
‎09-24-2014 08:40 AM

I can look in the _internal index on the deployment server to get this log

xxxx.xxx.xxx.xxx - - [24/Sep/2014:10:09:39.751 -0500] "POST /services/broker/phonehome/connection_X.X.X.X_8089_AnyServer.MyDomain.com_AnyServer_ServerClass HTTP/1.0" 200 1468 - - - 44ms

So I can see the Server name and the serverclass of the system. I can create a search like this:

host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count AS "Num Systems"

My problem is that for the 3 month I have over 15 million records for the phonehome log from my more than 600 systems.

Anyone know of a faster way to search for hosts connected by month to the deployment server?

0 Karma
Reply

pmdba
Builder
‎09-27-2014 07:41 PM

You should be able to use the REST interface to get what you want a little more elegantly, as was suggested to me in this answer.

0 Karma
Reply

hartfoml
Motivator
‎10-02-2014 11:07 AM

@pmdba Thanks for the sugestion. I tried this search

  | rest /services/deployment/server/clients | table clientName hostname

and this one

| rest /services/deployment/server/clients

and it returned no results over a month
I tried this one too,

|eventcount summarize=false index=* | table index | map maxsearches=1000 search="|metadata type=hosts index=$index$ | table host | eval index=\"$index$\""

and it gave me all the host that had ever recorded data to the system to any index and no time intervel to sort on or compair to last month

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎09-24-2014 08:56 AM

Expected result?

Client IP: count of connections?

Client IP: count of serverclasses?

0 Karma
Reply

hartfoml
Motivator
‎09-24-2014 09:00 AM

in one case I would like all servers reporting per month over time. this will show a trend of added servers.

In another case I would like number of servers by serverclass over time. each server class is an operational origination. this will show which org is putting in the most systems over time.

0 Karma
Reply

hartfoml
Motivator
‎09-24-2014 08:42 AM

sorry if I do this I can get a count by serverclass

host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count by serverclass

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...