Splunk Search

what needs to be added to modify my search to display only the windows hosts?

pavanae
Builder

The following is my search query :-

index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(host) as hosts

Also is there any way that I can see all the sources per host in which my search string satisfies?

0 Karma
1 Solution

twinspop
Influencer

Probably the best way to identify Windows hosts at search time would be to use tags. Settings -> Tags. Be sure to adjust permissions as required in your use case.

A more dynamic, but also more "expensive", method would be to use a subsearch on the _internal index:

index=* [ 
    search index=_internal os=Windows sourcetype=splunkd | 
    stats count by hostname | rename hostname as host | fields host ] | 
stats values(source) as sources by host

EDIT to add regex command:

index=* [ 
    search index=_internal os=Windows sourcetype=splunkd | 
    stats count by hostname | rename hostname as host | fields host ] | 
regex _raw!=".2016-\d{2}-\d{2}." |
stats values(source) as sources by host

View solution in original post

twinspop
Influencer

Probably the best way to identify Windows hosts at search time would be to use tags. Settings -> Tags. Be sure to adjust permissions as required in your use case.

A more dynamic, but also more "expensive", method would be to use a subsearch on the _internal index:

index=* [ 
    search index=_internal os=Windows sourcetype=splunkd | 
    stats count by hostname | rename hostname as host | fields host ] | 
stats values(source) as sources by host

EDIT to add regex command:

index=* [ 
    search index=_internal os=Windows sourcetype=splunkd | 
    stats count by hostname | rename hostname as host | fields host ] | 
regex _raw!=".2016-\d{2}-\d{2}." |
stats values(source) as sources by host

View solution in original post

pavanae
Builder

by the above search I am able to see all the windows hosts and sources which is good. But I want to see the hosts and sources which satisfies the search string " index=* | regex _raw!=".2016-\d{2}-\d{2}." and then I need to filter the results by your search string . so is there any way that I can get the results by using both the search strings.

0 Karma

twinspop
Influencer

add your regex command before the stats command: index=* [
search index=_internal os=Windows sourcetype=splunkd |
stats count by hostname | rename hostname as host | fields host ] |
regex _raw!=".2016-\d{2}-\d{2}." | stats values(source) as sources by host

0 Karma

appache
Path Finder

index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats list(source) as sources by host

0 Karma

sundareshr
Legend

Try this

index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(sources) as sources by host
0 Karma