Re: How to check if a host ever reported to Splunk

SamHTexas · ‎03-16-2021

How to check if a couple of hosts /VMs ever reported to Splunk? I have looked in Deployment server, no sign of them or history. Please advise

Vardhan · ‎03-16-2021

Hi @SamHTexas ,

Check the internal logs of those hosts using the below query. If the host had reported past and stopped reporting now you can find out when the host has sent the last log.

index=_internal host= spl01* (mention the hostname*)

or

|tstats count where index=_internal host=spl01* by host ( use this query if you want to check more than 30days)

if this answer helps you then upvote it.

SamHTexas · ‎03-16-2021

index=_internal host= spl01* (mention the hostname*)

In the above I just write it in capital letters to see if I have it. Is it host=SPL01* correct?

Also I don't have access to the hosts, they are VMs in another city. Please advise.

Vardhan · ‎03-16-2021

HI @SamHTexas ,

You have to mention your hostname. I just mentioned that as an example. And without having list of hostnames how will you check? you need to get that information.

And if you need just the host information which are reporting to Splunk. You use the below query.

| tstats count where index=_internal by host (it will give all the hosts list)

How to check if a host ever reported to Splunk

stats

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!