Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Query to find servers reporting to splunk
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ravan
Path Finder
01-16-2012
02:45 AM
Need a query to find list of servers reporting to splunk, and send that output to a lookupfile.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johandk
Path Finder
01-16-2012
10:54 PM
If it is the hosts(sources) sending data to your Splunk instance that you are interested in, this might work for you:
|metadata type=hosts | fields host, firstTime, lastTime, totalCount | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | sort -totalCount | outputlookup meta_data_hosts.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
johandk
Path Finder
01-16-2012
10:54 PM
If it is the hosts(sources) sending data to your Splunk instance that you are interested in, this might work for you:
|metadata type=hosts | fields host, firstTime, lastTime, totalCount | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | sort -totalCount | outputlookup meta_data_hosts.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ravan
Path Finder
01-25-2012
07:28 AM
Above Query working fine , but in few results i found reporting date's as 2013/14 year ... Is it problem from splunk server OR clients end ..?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
01-16-2012
12:52 PM
Have a look at the outputlookup search command :
http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Outputlookup
When you say servers reporting to Splunk , do you mean a list of Splunk components(forwarders, indexers, search heads etc..) or do you mean the hostname/IP from all sources of data that is indexed in Splunk ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ravan
Path Finder
01-16-2012
10:00 PM
In this case it is forwarders reporting to splunk
Get Updates on the Splunk Community!
Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)
Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...
Operationalizing TDIR: Building a More Resilient, Scalable SOC
Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...
Almost Too Eventful Assurance: Part 1
Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...
