Splunk Search
Highlighted

Create table containing hosts,sources metadata?

Path Finder

I would like to have a list of all the hosts (over some period of time, presumably) and the sources that they've generated logs entries with. A simple table format would work, so there'd be 10 lines for host X, each with a different source listed, if host X generated logs for 10 sources.

More simply:

host1,source1
host1,source2
host2,source1
host2,source3
host2,source4

Is there a way I can get this information? I see how to pull hosts using metadata, and I see how to pull sources using metadata, but I don't see how the two can be related.

Tags (3)
Highlighted

Re: Create table containing hosts,sources metadata?

Explorer

You can use the following search to accomplish this (slightly different output than you've specified):

* | chart values(source) by host

Or, if you want to include the all (including internal) indexes:

index=* | chart values(source) by host
Highlighted

Re: Create table containing hosts,sources metadata?

Path Finder

Very good, thank you - even though the output format wasn't what I was thinking of, it's still useful and it helps me think in terms of how chart can help me. Thanks!

0 Karma
Highlighted

Re: Create table containing hosts,sources metadata?

Legend

You will have to actually count them up:

index=* | stats count by host, source

should do it.

View solution in original post

Highlighted

Re: Create table containing hosts,sources metadata?

Path Finder

Excellent, gives me just what I was looking for.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.