Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding hosts in spulnk

Mukunda7
Explorer
‎09-26-2021 11:50 PM

So we have a task to find all the hosts in our splunk enterprise. We need to take the list and what type of logs we are getting from that hosts.

How can we do that easily?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 01:39 AM

It all depends on what you mean by "all hosts" but in general - unless you have a very well organized environment, you might have problems with that.

Why? Because splunk as such doesn't much care about the metadata - it's up to you and your apps to make it reasonable.

For example - if you have a UDP:514 input receiving syslog events and you receive events from ten different hosts which are misconfigured and are sending "localhost" as their name, splunk will probably parse the host field as "localhost" from the event contents and the source by default would be set to "udp:514". It doesn't tell you much, does it?

There's no "automatic" additional metadata that splunk captures - like source IP for network connections.

So even though you might list metadata about all your events (list all your sources, hosts and sourcetypes) it still might not correspond directly to your physical environment.

0 Karma
Reply

Mukunda7
Explorer
‎09-27-2021 04:53 AM

Got your point but what we are looking is from which servers we are mainly getting data for last 30 days. can we find that ?

so that we can list those important servers and will blocklist the remaining.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-27-2021 06:40 AM

As I wrote, earlier - you can list what you have in indexes. Just do

| tstats count where index=* by index,source,sourcetype

 and you're all set.

It's just that you might end up with data which tells you absolutely nothing.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎09-27-2021 12:03 AM

@Mukunda7 

| metadata type=hosts index=* | fields host

index=* is not a great search you can limit it if you know the index name.

---

Hope it helps!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...