Splunk Search
Highlighted

Number of hosts forwarding logs to indexer

Explorer

I would like to know the quickest way to count the number of hosts that have sent data to the indexer for the last 7 days.

Tags (3)
0 Karma
Highlighted

Re: Number of hosts forwarding logs to indexer

Path Finder

Does this search do it for you?

index=_internal source="C:\\Program Files\\Splunk\\var\\log\\splunk\\metrics.log" earliest=-7d@d | table sourceHost | dedup sourceHost | stats count 

with the source path changed accordingly of course!

0 Karma
Highlighted

Re: Number of hosts forwarding logs to indexer

Legend

Well, the quickest will probably be:

| metadata type=hosts | where now()-recentTime < (7*24*60*60)

What it actually tells you is which hosts have a most recently sent event whose timestamp is within the last 7 days, though this is likely to be close to what you asked for if you are generally bringing in correctly timestamped data in real time.

View solution in original post

0 Karma
Highlighted

Re: Number of hosts forwarding logs to indexer

Explorer

Yes, this is a much quicker method. Thank you so much.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.