Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to limit results to one (1) for each host?

Bleepie
Communicator
‎10-12-2023 03:26 AM

Hi,

How do I limit the results per host? I have any (random) search query. I have 10 hosts. For each hosts, hundreds of events are shown. In a statistics table, I want to show only 1 event, per host. This way, I can check if each host has the logfile. It doesn't matter what the contents of the logfile are.

How do I perform this search?

This statistics table, or splunk dashboard, will have the following function:

Check if log exists on every server

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 05:11 AM

Hi @Bleepie,

did you tried with dedup (https://docs.splunk.com/Documentation/SCS/current/SearchReference/DedupCommandOverview)?

<your_search>
| dedup host
| sort host
| table host

but in this way you have only the list of hosts with events.

If you want o check if there are some missing host, you have to create a lookup (called e.g. perimeter.csv) containing at least one column called host and then run a search like the following:

| tstats count WHERE index=your_index BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

in this way, if you have results the host is missed.

Ciao.

Giuseppe

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...