Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find out index of hosts sending new since 24hrs

lslschr21
Loves-to-Learn Lots
‎05-27-2021 02:55 AM

Hi
I wanted to write a search that show all hosts that sends new since 24hrs into Splunk. The problem now is that I want to see in which index, these hosts deliver. For the first part I wrote the following search.

 

| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-24h")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| search host!="*_*"
| table host, firstTime, recentTime
| join [|tstats latest(_time) as firsttwoTime where (index=* OR index=_*) by host, index
| table index, host]
| table index, host, firstTime, recentTime

 

The problem now is that this search is really slow, is there any other search that would be more efficient?

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...