Hi, thanks for your response. devicename is the hostname. eg: I have configured list of linux servers to send logs to splunk. the servername is shown in the field "host" which is actually the device...
See more...
Hi, thanks for your response. devicename is the hostname. eg: I have configured list of linux servers to send logs to splunk. the servername is shown in the field "host" which is actually the device name (server name). Similarly for windows servers, firewalls, etc Linux servers: ab, dd, xy ( configuring those devices under index called 'linux') windows servers: wndw1, wndw2, wndw3 (configuring those devices under index called 'windows') Fortinet devices: frt1, frt2, frt3 (configuring those devices under index called 'fortinet') Now, I am using this tstats query |tstats count where index=* by host,index The result will be: host index count ab linux 10 dd linux 20 xy linux 30 wndw1 windows 10 wndw2 windows 20 wndw3 windows 30 frt1 fortinet 10 frt2 fortinet 20 frt3 fortinet 30 Now, I have another set of devices (eg: network devices - ntwk1, ntwk2, ntwk3) but the name of the device is under the field called 'asset' My tstats query wont pick these network devices list. So need your suggestion how to include those