Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get a list of all hosts across all indexes if we cannot use index=* (restricted by workload rule)

mlevsh
Builder
‎10-22-2023 03:24 PM

Hi,

We need to find all the hosts across all the indexes , but we cannot use index=* anymore, as it's use is  restricted by workload rule.

Before the following command was used
| tstats count where index=*  by host
|fields - count

But it uses index* and now we cannot use it.
Will appreciate any ideas. 


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2023 11:21 PM

Hi @mlevsh,

the easiest way is asking to remove that rule because it isn't useful!

Anyway, you should list all the existing indexes in the WHERE condition:

| tstats count where index IN (index1,index2,index2) by index host
| fields - count

to avoid to repeat this list in every command, you could also put all these indexes in a macro or an eventtype and use it in your searches.

Ciao.

Giuseppe

Reply

mlevsh
Builder
‎10-23-2023 03:40 PM

@gcusello 

Hi!

Thank you for your advice!

(1) It will be kind of difficult to list all 280  indexes. We can probably decrease it to 68 by using
something like index=p*
I was wondering if there might be another alternative way to do it without listing all the indexes
in search of in macro 

(2) The rule is actually useful to us, since we had few issues with performance due to users
using index=*  , selecting big time period and searching for some "text" through all of our 280+ indexes

But just curious on why are you saying it isn't useful?

Regards,
@mlevsh 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2023 08:34 AM

Hi @mlevsh,

maybe you should try to have a different approach in indexes creation: usually different indexes are used when there are different retention periods and/or different access grants.

Indexes are siloes in which it's possible to store data, different data are differentiated by sourcetype not by index.

So you could reduce the number of indexes: 280 indexes are very difficoult to manage and to use, why do you have so many indexes?

In other words there isn't any sense  having one sourcetype in one index.

In other words, indexes aren't database tables.

the best approach is usually to limit the time that a user can use in a search and not the indexes.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...