Solved: Re: Query to find servers reporting to splunk

Ravan · ‎01-16-2012

Need a query to find list of servers reporting to splunk, and send that output to a lookupfile.

johandk · ‎01-16-2012

If it is the hosts(sources) sending data to your Splunk instance that you are interested in, this might work for you:

|metadata type=hosts | fields host, firstTime, lastTime, totalCount | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | sort -totalCount | outputlookup meta_data_hosts.csv

View solution in original post

johandk · ‎01-16-2012

If it is the hosts(sources) sending data to your Splunk instance that you are interested in, this might work for you:

|metadata type=hosts | fields host, firstTime, lastTime, totalCount | eval firstTime=strftime(firstTime, "%Y-%m-%d %H:%M:%S") | eval lastTime=strftime(lastTime, "%Y-%m-%d %H:%M:%S") | sort -totalCount | outputlookup meta_data_hosts.csv

Ravan · ‎01-25-2012

Above Query working fine , but in few results i found reporting date's as 2013/14 year ... Is it problem from splunk server OR clients end ..?

Damien_Dallimor · ‎01-16-2012

Have a look at the outputlookup search command :

http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Outputlookup

When you say servers reporting to Splunk , do you mean a list of Splunk components(forwarders, indexers, search heads etc..) or do you mean the hostname/IP from all sources of data that is indexed in Splunk ?

Ravan · ‎01-16-2012

In this case it is forwarders reporting to splunk

Query to find servers reporting to splunk

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services