Splunk Search

How to show all data of one field?

userQ
Loves-to-Learn

Hello, I put them in context before showing the query.

I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data.

I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.

 

I have 2 queries.

The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be).

|makeresults
| eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code
| mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code

 

I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName.

How can I do to show all ComputerName with these same filters?

index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27)
| eval day_of_week = lower(strftime(_time, "%A"))
| eval date_string = strftime(_time, "%Y-%m-%d")
| eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null())
| search Weekend=1
| stats count by Message EventCode ComputerName date_string
| stats list(Message) by ComputerName date_string EventCode

It may simply not be possible to list all the computer names without listing them one by one.

Thanks.

Labels (1)
0 Karma

userQ
Loves-to-Learn

Hi, sorry if I didn't explain myself well.
I would like to get all the hostnames instead of just naming those two, for example: hostname=*

Referencing the * as all the hostnames there are.

I know the * doesn't work in splunk like in programming languages, it only worked with index=* but not inside the query with the data.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Why do you think * only works for index?

By not restricting the hostname i.e. not using a filter, you will be getting events for all hostnames. This is almost the same as hostname=* except that hostname=* will ensure hostname is not null.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure what you are asking for - all the computer names are listed by the stats call. Do you just want the computer names?

| stats values(ComputerName) as ComputerName
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...