Splunk Search

Query to find servers reporting to splunk

Ravan
Path Finder

Need a query to find list of servers reporting to splunk, and send that output to a lookupfile.

Tags (1)
0 Karma
1 Solution

johandk
Path Finder

If it is the hosts(sources) sending data to your Splunk instance that you are interested in, this might work for you:

|metadata type=hosts | fields host, firstTime, lastTime, totalCount | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | sort -totalCount | outputlookup meta_data_hosts.csv

View solution in original post

johandk
Path Finder

If it is the hosts(sources) sending data to your Splunk instance that you are interested in, this might work for you:

|metadata type=hosts | fields host, firstTime, lastTime, totalCount | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | sort -totalCount | outputlookup meta_data_hosts.csv

Ravan
Path Finder

Above Query working fine , but in few results i found reporting date's as 2013/14 year ... Is it problem from splunk server OR clients end ..?

0 Karma

Damien_Dallimor
Ultra Champion

Have a look at the outputlookup search command :

http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Outputlookup

When you say servers reporting to Splunk , do you mean a list of Splunk components(forwarders, indexers, search heads etc..) or do you mean the hostname/IP from all sources of data that is indexed in Splunk ?

Ravan
Path Finder

In this case it is forwarders reporting to splunk

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...