Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to write a search to find new hosts that are sending logs to Splunk?

sumitkathpal
Explorer
‎01-04-2017 03:03 AM

Dear Experts,

We are looking for a search where we can find new hosts that are sending logs to Splunk. I am stuck and don't know where to start.

Any help. Thanks in advance

0 Karma
Reply

javiergn
Super Champion
‎01-26-2017 12:57 PM

Hi,

Did any of the answers below help you?
If so, could you please mark it as answered so that we can close the thread?

Thanks,
J

0 Karma
Reply

javiergn
Super Champion
‎01-04-2017 03:18 AM

You could try this if you just want to show those new hosts that have reported for the first time since yesterday:

| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-1d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, Count

Simply modify the relative_time parameters to match your time range needs.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-04-2017 03:12 AM

hi sumitkathpal,
You can see which hosts are sending logs to Splunk with this simple search:

index=_internal

If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:

index=_internal NOT [ | inputlookup my_hosts.csv | fields host ]

in this way you can find if an host is or not in your lookup.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...