Splunk Search

fast query to output hosts not logging to index

Mag2sub
Path Finder

On 5.0.4 ...appreciate suggestions on performance conducive query to output hosts not logging to index with index names also being output in the search results
We have huge amounts of data and would need the query to be as fast as possible ..possibly run ove r a 1 hour interval

Appreciate!

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Have you tried my suggestion of incrementally building a lookup with all your hosts? As a result you'll only need to look through e.g. an hour of data every hour. Each query should be fast, no need to look at data twice to find a previously-sending host that has just stopped.

0 Karma

Mag2sub
Path Finder

Apologies ...I guess the other was specific on query to correlate...and im still stuck with the question of a fast query for above as we TB of data .i need both index names and hosts not logging to be output in same query result and a fast query at that ... as we have gobs of data ...i do not want the query to be stuck with a high cost

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

linu1988
Champion

Did you try

|metadata type=hosts index=*

This is the fastest way to get the host names.

OR

if you want it to be index independent, make a summary index and start collecting them. Search them over time.

Thanks,
L

0 Karma

Mag2sub
Path Finder

I have tried that before Above query does not output index names in search result...so its not helpful

Thanks

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...