Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to identify new host entries in Indexed data?

jhayIV
Engager
‎01-05-2017 12:55 PM

This is my first time messing with indexed data, how would I go about identifying and new entries from data that is indexed daily?

Below is the search string I am using. Is theres someway to get this to show new hosts that were added ?

index=cmdb |  search Owner_Contact="IS&O" | search OS="Win*"|timechart span=1d count(Name) by OS
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-21-2017 11:42 AM

@jhayIV - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

DalJeanis
Legend
‎01-05-2017 01:39 PM

Assuming that Name is the host name field, use something like this -

index=cmdb | search Owner_Contact="IS&O" | search OS="Win*"
| stats min(_time) as FirstUseOfHost max(_time) as LastUseOfHost by Name
| search FirstUseOfHost >= relative_time(now(),"-24h")

This is efficient enough for a small institution. However, if you were planning to run this over time on a large institution, then you'd want to use a more efficient way, perhaps creating a csv of all the hosts you already have seen, and then running the search only for the last 24 hours, dedup the 24 hour results on name, then lookup and find those not matched.

0 Karma
Reply

somesoni2
Revered Legend
‎01-05-2017 01:30 PM

To identify new hosts, you should have a list of hosts that have reported earlier to compare against. So either you can setup a scheduled to search create list of servers already reported and then compare it agains the servers reported now (today, or last 4 hrs or whatever period you want).

Other option would be Within same search itself compare the count from servers from current desired period vs prior period. E.g. following would give you list of hosts which were not available yesterday but reporting today (new host if compared with yesterdays data)

index=cmdb earliest=-1d@d latest=now Owner_Contact="IS&O" OS="Win*" 
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | stats values(Day) as reportedDays by host  | where mvcount(reportedDays)=1 AND reportedDays="Today"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...