Solved: Create table containing hosts,sources metadata?

gowen · ‎01-30-2012

I would like to have a list of all the hosts (over some period of time, presumably) and the sources that they've generated logs entries with. A simple table format would work, so there'd be 10 lines for host X, each with a different source listed, if host X generated logs for 10 sources.

More simply:

host1,source1
host1,source2
host2,source1
host2,source3
host2,source4

Is there a way I can get this information? I see how to pull hosts using metadata, and I see how to pull sources using metadata, but I don't see how the two can be related.

lguinn2 · ‎01-30-2012

You will have to actually count them up:

index=* | stats count by host, source

should do it.

View solution in original post

lguinn2 · ‎01-30-2012

You will have to actually count them up:

index=* | stats count by host, source

should do it.

gowen · ‎01-31-2012

Excellent, gives me just what I was looking for.

sbrant_tt · ‎01-30-2012

You can use the following search to accomplish this (slightly different output than you've specified):

* | chart values(source) by host

Or, if you want to include the all (including internal) indexes:

index=* | chart values(source) by host

gowen · ‎01-31-2012

Very good, thank you - even though the output format wasn't what I was thinking of, it's still useful and it helps me think in terms of how chart can help me. Thanks!

Create table containing hosts,sources metadata?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?