Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Source and Host

tmurray3
Path Finder
‎09-30-2011 10:48 AM

I am trying to write a query to return host, source, last updated. However, it appears as though the source and host data are not stored together in the metadata. I can get a list of sources using the query:

"|metadata type=sources index=iam_eat"

but cant figure out how to include the hostname. I tried this query:

|metadata type=sources index=iam_eat| map search="search index=iam_eat earliest=-1m source=$source$|stats count by host,source" maxsearches=10

This query works, but only includes hosts & sources that have been updated in the last minute. If the source has not been updated, then I would like it to show up in my list with a count of 0.

Any help will be greatly appreciated!!!!

Thanks

Tags (2)
Reply

tmurray3
Path Finder
‎09-30-2011 12:40 PM

My goal is to simple. I want to display a table with host, source and last time updated. Basically, everything listed in the "|metadata type=sources" results, plus add a host column

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-30-2011 12:17 PM

They are not included together. You can run separate searches against the metadata to find that out.

What is your ultimate goal with this data?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...