Splunk Search

How to write a search to find new hosts that are sending logs to Splunk?

sumitkathpal
Explorer

Dear Experts,

We are looking for a search where we can find new hosts that are sending logs to Splunk. I am stuck and don't know where to start.

Any help. Thanks in advance

0 Karma

javiergn
Super Champion

Hi,

Did any of the answers below help you?
If so, could you please mark it as answered so that we can close the thread?

Thanks,
J

0 Karma

javiergn
Super Champion

You could try this if you just want to show those new hosts that have reported for the first time since yesterday:

| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-1d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, Count

Simply modify the relative_time parameters to match your time range needs.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi sumitkathpal,
You can see which hosts are sending logs to Splunk with this simple search:

index=_internal

If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:

index=_internal NOT [ | inputlookup my_hosts.csv | fields host ]

in this way you can find if an host is or not in your lookup.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...