Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When there are duplicate host names, how do you build a search that gets hosts' last activity?

CMSchelin
Path Finder
‎11-08-2018 07:05 AM

We have a bunch of hosts. Some of them are kind of like duplicates in that they are just the host name, and some are the FQDN. Example:

  • Server012
  • Server012.example.tld

I know how to use the metadata command to get a list of hosts and the last time they were seen. I also know how to strip out the domain part of the FQDN.

| metadata type=hosts
| rex field=host "^(?<hostname>.+)\.example.tld"
| table hostname, lastTime

The question is:

How can I collapse the duplicates and get the most recent most recent (sic) time?

Example data:

| host                  | lastTime   |
| Server012             | 1541663236 |
| Server012.example.tld | 1541689264 |

I want a query that would return:

| Server012 | 1541689264 |

Any insights?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KailA
Contributor
‎11-08-2018 07:08 AM

Hi @CMSchelin,

I think you can do something like that :

| metadata type=hosts
|rex field=host "^(?<hostname>.+)\.example.tld"
| table hostname, lastTime
| stats max(lastTime) as lastTime BY hostname

That will return you the most recent activity by host.

Let me know.
KailA 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

KailA
Contributor
‎11-08-2018 07:08 AM

Hi @CMSchelin,

I think you can do something like that :

| metadata type=hosts
|rex field=host "^(?<hostname>.+)\.example.tld"
| table hostname, lastTime
| stats max(lastTime) as lastTime BY hostname

That will return you the most recent activity by host.

Let me know.
KailA 🙂

Reply
Solved! Jump to solution

CMSchelin
Path Finder
‎11-08-2018 07:17 AM

Damn, all that typing for the question, and you answered it in like seconds. 🙂

That works perfectly, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...