Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How do I write the same search that populates the "Data Summary"?

samir_silva
New Member
โ€Ž11-05-2015 12:17 PM

I need the event data from the "Data Summary" because I need to create a search to find when hosts stop sending logs to our Splunk server via UDP syslog.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmedved
Explorer
โ€Ž11-05-2015 03:07 PM

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

View solution in original post

Reply
Solved! Jump to solution
Solution

jmedved
Explorer
โ€Ž11-05-2015 03:07 PM

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

View solution in original post

Reply
Solved! Jump to solution

samir_silva
New Member
โ€Ž11-16-2015 05:20 AM

Thank you so much jmedved,

I used this search and It's working very well.

Thank you so much again.

| metadata type=hosts index=* | where recentTime < now() - 3600 | eval "Ultimo Envio" = strftime(recentTime, "%F %T") |fields + host "Ultimo Envio" | search host!="10.244.68.15" host!="172.26.142.131" host!="172.26.142.129"

0 Karma
Reply