Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Number of hosts forwarding logs to indexer

rxdeleon
Explorer
‎07-06-2011 01:46 PM

I would like to know the quickest way to count the number of hosts that have sent data to the indexer for the last 7 days.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-06-2011 08:53 PM

Well, the quickest will probably be:

| metadata type=hosts | where now()-recentTime < (7*24*60*60)

What it actually tells you is which hosts have a most recently sent event whose timestamp is within the last 7 days, though this is likely to be close to what you asked for if you are generally bringing in correctly timestamped data in real time.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-06-2011 08:53 PM

Well, the quickest will probably be:

| metadata type=hosts | where now()-recentTime < (7*24*60*60)

What it actually tells you is which hosts have a most recently sent event whose timestamp is within the last 7 days, though this is likely to be close to what you asked for if you are generally bringing in correctly timestamped data in real time.

0 Karma
Reply
Solved! Jump to solution

rxdeleon
Explorer
‎07-07-2011 11:33 AM

Yes, this is a much quicker method. Thank you so much.

0 Karma
Reply
Solved! Jump to solution

proctorgeorge
Path Finder
‎07-06-2011 02:00 PM

Does this search do it for you?

index=_internal source="C:\\Program Files\\Splunk\\var\\log\\splunk\\metrics.log" earliest=-7d@d | table sourceHost | dedup sourceHost | stats count

with the source path changed accordingly of course!

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...