Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

LIst all universal forwarder hosts sending to an index but limit the host count to 5

davidaj
Explorer
‎02-12-2025 10:01 AM

Hello

I'm looking to modify this search I've found and using. I like the result set but would like to limit the host count to just five for each index it reports to. The .csv export of the original search is really messy and just unusable. My SPL skills are limited at the moment so any help is much appreciated. 

| tstats values(host) as host where index=* by index

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-12-2025 01:34 PM

If you want a list of the top 5 hosts reporting into each index then I would look to use the following search:

 

| tstats count where index=* by host, index
| sort - count
| streamstats count as n by index
| search n<=5
| stats values(host) by index

 

 

This Splunk search starts by using tstats to efficiently count events for each host and index, retrieving data across all indexes. It then sorts the results in descending order by event count so that the most active hosts appear first. The streamstats command assigns a running count (n) to each record within its respective index, effectively numbering the hosts within each index. The search n<=5 step filters the results to include only the top 5 hosts per index based on event count. Finally, stats values(host) by index consolidates the results to display the top 5 hosts for each index in a clean format.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution

davidaj
Explorer
‎02-13-2025 08:02 AM

Update: 

Thanks for all the help. I was able to get an assist from a colleague and wanted to provide his search incase it works for anyone else.  


In a nutshell, the line rows=5, you can change to whatever number you need, but in the output if there are more than 5 hosts it will show you ... at the bottom so you know there is more, the columns on the right show you the initial amount of hosts and the amount if truncated

 

| tstats values(host) as host where index=* by index 
| foreach host ``` This code will only show you the first n values in the values() command```
    [ eval rows=5
    | eval mvCountInitial=mvcount('<<FIELD>>') 
    | eval <<FIELD>>=if(mvcount('<<FIELD>>')>$rows$, mvappend(mvindex('<<FIELD>>',0,$rows$-1),"..."), '<<FIELD>>') 
| eval mvCountTruncated=if(mvcount('<<FIELD>>')>$rows$,mvcount('<<FIELD>>')-1,mvcount('<<FIELD>>')) 
| fields - rows]
| rename mvCountInitial as "Total Host Count" mvCountTruncated as Truncated

 

Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎02-12-2025 01:34 PM

If you want a list of the top 5 hosts reporting into each index then I would look to use the following search:

 

| tstats count where index=* by host, index
| sort - count
| streamstats count as n by index
| search n<=5
| stats values(host) by index

 

 

This Splunk search starts by using tstats to efficiently count events for each host and index, retrieving data across all indexes. It then sorts the results in descending order by event count so that the most active hosts appear first. The streamstats command assigns a running count (n) to each record within its respective index, effectively numbering the hosts within each index. The search n<=5 step filters the results to include only the top 5 hosts per index based on event count. Finally, stats values(host) by index consolidates the results to display the top 5 hosts for each index in a clean format.

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Reply
Solved! Jump to solution

davidaj
Explorer
‎02-13-2025 07:53 AM

Hello livehybrid

Thanks you. This gives me exactly what I an looking for. 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-12-2025 10:45 AM

There is no option in tstats or values to limit the number of values.  You can, however, expand the host field and then limit the number displayed.

| tstats values(host) as host where index=* by index 
| mvexpand host 
| dedup 5 index host

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...