Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching all hosts in an index for count

verifi81
Path Finder
‎03-30-2021 09:38 AM

Hello folks,

I have about 20 hosts that fall under index=devices

I need a query that will display the count information for each host, once over a 24 hour period. 
My intention is to use this to set an alert so that if a host does not have any count in 24 hours, it will send an alert. 

What query would work best for this? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 10:24 AM

This will get you the daily counts.

index=devices | bin _time span=1d | stats count by _time host

However, if a host has no events, it will not show up. Ways around this include using lookups to retrieve all the valid hosts from a file or key store, or use a longer time frame to retrieve (and possibly dedup) the hosts so you can see if they had event in the time frame of interest.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-30-2021 10:24 AM

This will get you the daily counts.

index=devices | bin _time span=1d | stats count by _time host

However, if a host has no events, it will not show up. Ways around this include using lookups to retrieve all the valid hosts from a file or key store, or use a longer time frame to retrieve (and possibly dedup) the hosts so you can see if they had event in the time frame of interest.

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!