Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

query to grab the metadata of the host entered by the user

kteng2024
Path Finder
‎01-08-2018 02:33 PM

Hello,

Can someone please help me to build a query that will display hostname , IP address , last reported by the forwarder.
If i use the index= star host= star , that will be too much load on the indexers . Is there any better way to grab those metrics.

0 Karma
Reply

mayurr98
Super Champion
‎01-08-2018 09:21 PM

hey try this

| tstats max(_time) as lastReported WHERE index=* by host | eval LastReported=strftime(lastReported,"%m/%d/%y %H:%M:%S") | table LastReported host  | join host [ search index=_internal hostname=* | stats count by sourceIp hostname | rename hostname as host]

Let me know if it works!

0 Karma
Reply

somesoni2
Revered Legend
‎01-08-2018 02:39 PM

You can use tstats to get host and last reported by forwarder. 

| tstats max(_time) as lastReported WHERE index=* by host

If you've dnslookup external lookup setup, you add that to above query to get the IP address.

0 Karma
Reply

kteng2024
Path Finder
‎01-08-2018 03:00 PM

Thank you for the reply. i have edited the query to convert epoch time to human readable format.Since we don't have external dnslookup , i am relying on internal index. But query couldn't display the sourceIP.

| tstats max(_time) as lastReported WHERE index=* by host | eval c_time=strftime(lastReported,"%m/%d/%y %H:%M:%S") | table c_time host | join [ search index=_internal hostname=* | stats count by sourceIp | table sourceIp ]

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...