Solved: How to list all hosts under a certain sourcetype?

AaronMoorcroft · ‎03-02-2016

Hey Guys

So I have a sourcetype of syslog, but under that sourcetype seems to be a whole bunch of hosts. What's the best search to list all the hosts sending under the syslog sourcetype?

Sorry for such a basic question, I'm not too bad at making Splunk work, but actually using it for searches etc I'm not so hot.

Cheers

Aaron

vasildavid · ‎03-02-2016

sourcetype=syslog | stats count by host

Or, you could use something like this to see how much data each host is sending:

sourcetype=syslog | eval length=len(_raw) | stats sum(length) by host

View solution in original post

muebel · ‎03-02-2016

Hi Aaron, if you wanted a quick simple count, this might be a good use for tstats, which will usually finish faster than a normal search.

| tstats count where sourcetype=syslog by host

somesoni2 · ‎03-02-2016

I can vouch for that

AaronMoorcroft · ‎03-02-2016

Thank you, that also seems to work well, no doubt ill be needing more help with some simple searches over the coming days. I have to try and break down everything that is being logged into categories and generally have a tidy up.

vasildavid · ‎03-02-2016

sourcetype=syslog | stats count by host

Or, you could use something like this to see how much data each host is sending:

sourcetype=syslog | eval length=len(_raw) | stats sum(length) by host

AaronMoorcroft · ‎03-02-2016

That Iooks to be doing what I need, thank you Sir...

How to list all hosts under a certain sourcetype?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...