Splunk Search

How to identify new host entries in Indexed data?


This is my first time messing with indexed data, how would I go about identifying and new entries from data that is indexed daily?

Below is the search string I am using. Is theres someway to get this to show new hosts that were added ?

index=cmdb |  search Owner_Contact="IS&O" | search OS="Win*"|timechart span=1d count(Name) by OS
0 Karma

Splunk Employee
Splunk Employee

@jhayIV - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma


Assuming that Name is the host name field, use something like this -

index=cmdb | search Owner_Contact="IS&O" | search OS="Win*"
| stats min(_time) as FirstUseOfHost max(_time) as LastUseOfHost by Name
| search FirstUseOfHost >= relative_time(now(),"-24h")

This is efficient enough for a small institution. However, if you were planning to run this over time on a large institution, then you'd want to use a more efficient way, perhaps creating a csv of all the hosts you already have seen, and then running the search only for the last 24 hours, dedup the 24 hour results on name, then lookup and find those not matched.

0 Karma

Revered Legend

To identify new hosts, you should have a list of hosts that have reported earlier to compare against. So either you can setup a scheduled to search create list of servers already reported and then compare it agains the servers reported now (today, or last 4 hrs or whatever period you want).

Other option would be Within same search itself compare the count from servers from current desired period vs prior period. E.g. following would give you list of hosts which were not available yesterday but reporting today (new host if compared with yesterdays data)

index=cmdb earliest=-1d@d latest=now Owner_Contact="IS&O" OS="Win*" 
| eval Day=if(_time<relative_time(now(),"@d"),"Yesterday","Today") | stats values(Day) as reportedDays by host  | where mvcount(reportedDays)=1 AND reportedDays="Today"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...