Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write the same search that populates the "Data Summary"?

samir_silva
New Member
‎11-05-2015 12:17 PM

I need the event data from the "Data Summary" because I need to create a search to find when hosts stop sending logs to our Splunk server via UDP syslog.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmedved
Explorer
‎11-05-2015 03:07 PM

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

View solution in original post

Reply
Solved! Jump to solution
Solution

jmedved
Explorer
‎11-05-2015 03:07 PM

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

Reply
Solved! Jump to solution

samir_silva
New Member
‎11-16-2015 05:20 AM

Thank you so much jmedved,

I used this search and It's working very well.

Thank you so much again.

| metadata type=hosts index=* | where recentTime < now() - 3600 | eval "Ultimo Envio" = strftime(recentTime, "%F %T") |fields + host "Ultimo Envio" | search host!="10.244.68.15" host!="172.26.142.131" host!="172.26.142.129"

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...