Splunk Search

How to get a progressive chart of hosts added over time using the metadata command firstTime field

hartfoml
Motivator

I want to draw a chart of hosts added over time so that I can see at the beginning zero hosts and at the end 3,685 hosts. I would like to do this using the firstTime field from | metadata type=hosts

I have this search | metadata type=hosts | eval Date=strftime(firstTime,"%Y-%m-%d") | fields host Date but it is just a search of number of hosts added each day and not progressive over time.

I have this search index=_internal hostname="*" component="Metrics" | timechart span=d dc(hostname) from Answers, but it is using the metrics logs and takes too long over a large number of days.

I would like a count to date from the beginning for each day of my search.

Like
(day 1 count = 5)
(day 2 count = 5 + day1)
(day 3 count = 5 + day2)
and on an on.

Thanks for any help.

Tags (4)
0 Karma
1 Solution

diogofgm
SplunkTrust
SplunkTrust

Use streamstats:

| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

somesoni2
Revered Legend

This should do the trick.

| metadata type=hosts index=*| eval _time=firstTime | fields _time host | timechart span=1d dc(host) as Hosts | makecontinuous | eval Hosts=coalesce(Hosts,0) | accum Hosts

kiran_mh
Explorer

Hi somesoni2,

Using your query is it possible to get the hosts name as well?

We want to know which hosts were added in the last 7 days , a report to be generated weekly once which gives us the list of hosts which were added in the last 7 days.

Thanks in Advance

0 Karma

hartfoml
Motivator

This did a great job and I am still struggling to understand the code but it had a very different result than the search above. Thanks so much for your contribution it is a great learning code for me to try on something else. Thanks Again for the help.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Use streamstats:

| metadata type=hosts | eval date=strftime(firstTime,"%Y-%m-%d") | fields host date | chart count(host) AS new_hosts over date | streamstats sum(new_hosts) AS total_hosts
------------
Hope I was able to help you. If so, some karma would be appreciated.

hartfoml
Motivator

This is a very cool chart. thanks so much @diogofgm this was more than I was hoping for. Every Splunk Admin should have this chart to show growth and assimilation. Resistance is futile 🙂

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...