Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Source and Host

tmurray3
Path Finder
‎09-30-2011 10:48 AM

I am trying to write a query to return host, source, last updated. However, it appears as though the source and host data are not stored together in the metadata. I can get a list of sources using the query:

"|metadata type=sources index=iam_eat"

but cant figure out how to include the hostname. I tried this query:

|metadata type=sources index=iam_eat| map search="search index=iam_eat earliest=-1m source=$source$|stats count by host,source" maxsearches=10

This query works, but only includes hosts & sources that have been updated in the last minute. If the source has not been updated, then I would like it to show up in my list with a count of 0.

Any help will be greatly appreciated!!!!

Thanks

Tags (2)
Reply

tmurray3
Path Finder
‎09-30-2011 12:40 PM

My goal is to simple. I want to display a table with host, source and last time updated. Basically, everything listed in the "|metadata type=sources" results, plus add a host column

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-30-2011 12:17 PM

They are not included together. You can run separate searches against the metadata to find that out.

What is your ultimate goal with this data?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top