Source and Host

tmurray3 · ‎09-30-2011

I am trying to write a query to return host, source, last updated. However, it appears as though the source and host data are not stored together in the metadata. I can get a list of sources using the query:

"|metadata type=sources index=iam_eat"

but cant figure out how to include the hostname. I tried this query:

|metadata type=sources index=iam_eat| map search="search index=iam_eat earliest=-1m source=$source$|stats count by host,source" maxsearches=10

This query works, but only includes hosts & sources that have been updated in the last minute. If the source has not been updated, then I would like it to show up in my list with a count of 0.

Any help will be greatly appreciated!!!!

Thanks

tmurray3 · ‎09-30-2011

My goal is to simple. I want to display a table with host, source and last time updated. Basically, everything listed in the "|metadata type=sources" results, plus add a host column

Simeon · ‎09-30-2011

They are not included together. You can run separate searches against the metadata to find that out.

What is your ultimate goal with this data?

Source and Host

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Source and Host

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk