Source and Host

tmurray3 · ‎09-30-2011

I am trying to write a query to return host, source, last updated. However, it appears as though the source and host data are not stored together in the metadata. I can get a list of sources using the query:

"|metadata type=sources index=iam_eat"

but cant figure out how to include the hostname. I tried this query:

|metadata type=sources index=iam_eat| map search="search index=iam_eat earliest=-1m source=$source$|stats count by host,source" maxsearches=10

This query works, but only includes hosts & sources that have been updated in the last minute. If the source has not been updated, then I would like it to show up in my list with a count of 0.

Any help will be greatly appreciated!!!!

Thanks

tmurray3 · ‎09-30-2011

My goal is to simple. I want to display a table with host, source and last time updated. Basically, everything listed in the "|metadata type=sources" results, plus add a host column

Simeon · ‎09-30-2011

They are not included together. You can run separate searches against the metadata to find that out.

What is your ultimate goal with this data?

Source and Host

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Source and Host

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...