Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do i get a count of all my assets by Splunk Version by Os

veryfoot
Path Finder
‎03-30-2023 06:19 AM

Hi Splunkers,

I'm new in the Splunk world.

I'm trying for a reporting tasks, to obtain the counting of every Client or server (all asset with splunk deamon) by version of splunk release by Os type.

Im not familiat with "stats" command.

I tryed somthings like this :

 

index="_internal" sourcetype="splunkd" group=tcpin_connections (os=windows OR os=linux) (version=7* OR version=8*) 
| table version, os, hostname
| dedup hostname
| stats count as hostname by version,os

 

But the results seems to be incorrect. I cant figure it out what i am doing wrong in order to obtain something like this :

 

Splunk version  | os      | Hostname_count_result
8.x.x           | linux   | sum of hostnames
8.x.x           | windows | sum of hostnames
7.x.x           | linux   | sum of hostnames
7.x.x           | windows | sum of hostnames

 

Many thanks for your returns !

Regards

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 06:48 AM

You have the right idea.  This works for me and is little more performant.  I added version=9* because I don't have any version 7 or 8 instances.

index="_internal" sourcetype="splunkd" group=tcpin_connections (os=windows OR os=linux) (version=7* OR version=8* OR version=9*)
| fields version, os, hostname
| stats dc(hostname) as hostname by version,os

What made you think the original results were incorrect?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-30-2023 06:48 AM

You have the right idea.  This works for me and is little more performant.  I added version=9* because I don't have any version 7 or 8 instances.

index="_internal" sourcetype="splunkd" group=tcpin_connections (os=windows OR os=linux) (version=7* OR version=8* OR version=9*)
| fields version, os, hostname
| stats dc(hostname) as hostname by version,os

What made you think the original results were incorrect?

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

veryfoot
Path Finder
‎03-30-2023 07:25 AM

Hi and many thank for your fast return.

About my doubts of my results, I think i wasnt sure that the counting were correct, beacause I have more than 20 000 assets... The usage of the "stats" command is for now, a bit foggy to me. So i wasnt sure of my search request.

While trying differents things, the differents results was not concordants... so I wanted to check that my method was correct.

Many thanks again for the solution, it do perfectly the result I needed !

Best regards my new Splunk friend ^^

 

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...