Splunk Search

How to search for newly added hosts?

Gayathirik
Path Finder

Hi

we have some new hosts added in our instance. we need to built a search to check for newly added hosts.

We have used the below search but that is giving all the hosts that have communicated in the past 7 days rather than the ones that are newly added.

   | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
   | where firstTime > SevenDaysBack 
   | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
   | table host, hostAdded | sort hostAdded

Also metadata does not go well with timerange picker. the above search is not taking the time range as well.

Is there any other way that we can find a solution to this?

Regards,
Gayathiri K

Tags (3)
0 Karma

colinmchugo
Explorer

Any luck with the answer to this lads? I am looking to alert on any new domains that have not been seen before i.e new domains being hit i want a splunk alert for this. thanks C.

0 Karma

TStrauch
Communicator

Hi,

i think you should take a look at this answer post. Its a smart solution for your problem by creating a little lookup file.

https://answers.splunk.com/answers/422889/how-to-search-for-newly-added-servers-by-comparing.html

kind regards

inventsekar
Ultra Champion

i was checking this metadata, metasearch and dbinspect, plain search queries.. but still no luck.

one thought - you want to find out all hosts recently(last 7 days) added
or,
do you have a host name or list of hosts, and you want to find out their date added to splunk?

0 Karma

Gayathirik
Path Finder

we need to find out all the new host that are added recently and not their date.

0 Karma

inventsekar
Ultra Champion

sorry, not getting you.. you need to find out recently added hosts meaning, you wanted to know the date of the hosts added to splunk, right

0 Karma

Gayathirik
Path Finder

for example if we have 200 host and say 2 new host are added in a week,i would want to check only those 2 newly added host.

0 Karma

colinmchugo
Explorer

Any result lads? Id like an answer to this one too cheers.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...