We use this search quite a bit, and love it. In this example it provides a list of all hosts (servers) reporting to splunk in a specific index...
|metadata type=hosts index=ms_ad_log| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort - total
But...I need to narrow this search to a specific set of hosts that are named IAA -- and using this search criteria doesn't seem to work....
|metadata type=hosts index=* host=*IAA*| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort - total
Any ideas?
Hi sm600,
@sk314 got it almost correct 😉 Try this:
| metadata type=hosts index=*
| search host=IAA*
| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount)
| rename firstTime AS first, recentTime AS last, totalCount as total
| table host,first,last,total
| sort - total
cheers, MuS
Hi sm600,
@sk314 got it almost correct 😉 Try this:
| metadata type=hosts index=*
| search host=IAA*
| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount)
| rename firstTime AS first, recentTime AS last, totalCount as total
| table host,first,last,total
| sort - total
cheers, MuS
Not again! 😐 😛
Thanks...adding
|search host=*iaa*|
worked perfectly
Did you try using host=IAA*
?