Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to group/count assets based on part of ip or hostname

att35
Builder
‎11-25-2014 12:43 PM

Hi,

Is there a way in Splunk to do a stat count based on part of the fields result?

We have multiple data center sites, with the big ones having their own OSSEC / Splunk server. All OSSEC results are directly sent to the respective Splunk indexers for that site. There are few smaller sites where it was not worth adding a dedicated indexer, and thus based on the location, we just selected either one of the main indexers and used them for these.

There is a central Splunk search head which is used to query all remote Splunk indexers.

I wanted to find out how many agents are reporting per site, but now it becomes little trick because we cannot rely on "Splunk_server" field. e.g. Site 12 has around 100 servers, but all those are sending logs to Splunk indexer in Site 30.

If there is a way to do a grouping or stat count on part of the ip address, e.g. all servers in Site 12 will have first 3 octets "10.11.12", all in Site 15 will have "10.11.15" and so on... then it might be possible to create a chart truly based on the Site and not the reporting Splunk server.

Is there a way to accomplish this in Splunk?

Thanks,

Abhi

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2014 02:10 PM

A simple way would be to chop your field as needed:

... | rex field=your_ip_field "^(?<first_three_octets>\d+\.\d+\.\d+)" | stats count by first_three_octets

More complicated examples could be solved by an | eval category : case(...) | stats count by category.

A more neat way would be to tag your fields with the site name and do a stats count by tag::your_ip_field. Might require a bit more work to tag the values than just going by /24s, but that would allow much easier searching and all that.

Reply
Get Updates on the Splunk Community!

Let’s Talk Terraform

If you’re beyond the first-weeks-of-a-startup stage, chances are your application’s architecture is pretty ...

Cloud Platform | Customer Change Announcement: Email Notification is Available For ...

The Notification Team is migrating our email service provider. As the rollout progresses, Splunk has enabled ...

Save the Date: GovSummit Returns Wednesday, December 11th!

Hey there, Splunk Community! Exciting news: Splunk’s GovSummit 2024 is returning to Washington, D.C. on ...