Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help with the query that works with splunk server groups

kteng2024
Path Finder
‎01-08-2018 11:26 AM

Hi,

Below is the query i am using to get the hostname , IP addresses and last reported to splunk .

| metadata type=hosts index=apache_web splunk_server_group=abc | search [ | makeresults | eval host= apacheweb123 | table host | makemv host delim=" " | mvexpand host | eval host="".host."" | format ] | table host | append [ | makeresults | eval host=apacheweb123 | table host | makemv host delim=" " | mvexpand host ] | join [ search index=_internal hostname=* | stats count by hostname sourceIp | table hostname sourceIp | rename hostname as host ]

But the above search is not working when the server group is mentioned but i need server groups to make search faster over a large data . Any help to get the hostname , IP address , Last reported by including splunk_server_group would be appreciated.

0 Karma
Reply

elliotproebstel
Champion
‎01-08-2018 01:48 PM

What is your intention with these parts of the query:
| search [ | makeresults | eval host= apacheweb123 | table host | makemv host delim=" " | mvexpand host | eval host="".host."" | format ]
and
| append [ | makeresults | eval host=apacheweb123 | table host | makemv host delim=" " | mvexpand host ]??

The subsearch in the first section returns: NOT() for me, and the subsearch in the second section returns no results. I tried to guess what your intentions might be, but I can't really make sense out of the |table...|makemv...|mvexpand thread, given that you are applying them to a single event to which it looks like you are just intending to assign a string value.

Additionally, | makeresults | eval host=apacheweb123 will not do anything useful, because Splunk treats the apacheweb123 portion as a variable name reference, rather than a string unless you wrap it in double-quotes: | makeresults | eval host="apacheweb123".

Can you explain more about what you're trying to do with all the subsearches?

0 Karma
Reply

kteng2024
Path Finder
‎01-08-2018 02:22 PM

trying to display the metadata of the host enter by the user .

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...