Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create table containing hosts,sources metadata?

gowen
Path Finder
‎01-30-2012 03:13 PM

I would like to have a list of all the hosts (over some period of time, presumably) and the sources that they've generated logs entries with. A simple table format would work, so there'd be 10 lines for host X, each with a different source listed, if host X generated logs for 10 sources.

More simply:

host1,source1
host1,source2
host2,source1
host2,source3
host2,source4

Is there a way I can get this information? I see how to pull hosts using metadata, and I see how to pull sources using metadata, but I don't see how the two can be related.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-30-2012 05:25 PM

You will have to actually count them up:

index=* | stats count by host, source

should do it.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-30-2012 05:25 PM

You will have to actually count them up:

index=* | stats count by host, source

should do it.

Reply
Solved! Jump to solution

gowen
Path Finder
‎01-31-2012 05:46 AM

Excellent, gives me just what I was looking for.

0 Karma
Reply
Solved! Jump to solution

sbrant_tt
Explorer
‎01-30-2012 04:50 PM

You can use the following search to accomplish this (slightly different output than you've specified):

* | chart values(source) by host

Or, if you want to include the all (including internal) indexes:

index=* | chart values(source) by host
Reply
Solved! Jump to solution

gowen
Path Finder
‎01-31-2012 05:47 AM

Very good, thank you - even though the output format wasn't what I was thinking of, it's still useful and it helps me think in terms of how chart can help me. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...