Splunk Search

How to identify new host entries in Indexed data?

jhayIV
Engager

This is my first time messing with indexed data, how would I go about identifying and new entries from data that is indexed daily?

Below is the search string I am using. Is theres someway to get this to show new hosts that were added ?

index=cmdb |  search Owner_Contact="IS&O" | search OS="Win*"|timechart span=1d count(Name) by OS
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@jhayIV - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Assuming that Name is the host name field, use something like this -

index=cmdb | search Owner_Contact="IS&O" | search OS="Win*"
| stats min(_time) as FirstUseOfHost max(_time) as LastUseOfHost by Name
| search FirstUseOfHost >= relative_time(now(),"-24h")

This is efficient enough for a small institution. However, if you were planning to run this over time on a large institution, then you'd want to use a more efficient way, perhaps creating a csv of all the hosts you already have seen, and then running the search only for the last 24 hours, dedup the 24 hour results on name, then lookup and find those not matched.

0 Karma

somesoni2
Revered Legend

To identify new hosts, you should have a list of hosts that have reported earlier to compare against. So either you can setup a scheduled to search create list of servers already reported and then compare it agains the servers reported now (today, or last 4 hrs or whatever period you want).

Other option would be Within same search itself compare the count from servers from current desired period vs prior period. E.g. following would give you list of hosts which were not available yesterday but reporting today (new host if compared with yesterdays data)

index=cmdb earliest=-1d@d latest=now Owner_Contact="IS&O" OS="Win*" 
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | stats values(Day) as reportedDays by host  | where mvcount(reportedDays)=1 AND reportedDays="Today"
0 Karma