Solved: How to list all hosts under a certain sourcetype?

AaronMoorcroft · ‎03-02-2016

Hey Guys

So I have a sourcetype of syslog, but under that sourcetype seems to be a whole bunch of hosts. What's the best search to list all the hosts sending under the syslog sourcetype?

Sorry for such a basic question, I'm not too bad at making Splunk work, but actually using it for searches etc I'm not so hot.

Cheers

Aaron

vasildavid · ‎03-02-2016

sourcetype=syslog | stats count by host

Or, you could use something like this to see how much data each host is sending:

sourcetype=syslog | eval length=len(_raw) | stats sum(length) by host

View solution in original post

muebel · ‎03-02-2016

Hi Aaron, if you wanted a quick simple count, this might be a good use for tstats, which will usually finish faster than a normal search.

| tstats count where sourcetype=syslog by host

somesoni2 · ‎03-02-2016

I can vouch for that

AaronMoorcroft · ‎03-02-2016

Thank you, that also seems to work well, no doubt ill be needing more help with some simple searches over the coming days. I have to try and break down everything that is being logged into categories and generally have a tidy up.

vasildavid · ‎03-02-2016

sourcetype=syslog | stats count by host

Or, you could use something like this to see how much data each host is sending:

sourcetype=syslog | eval length=len(_raw) | stats sum(length) by host

AaronMoorcroft · ‎03-02-2016

That Iooks to be doing what I need, thank you Sir...

How to list all hosts under a certain sourcetype?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor