You can do:
1.Host Name
2.Host IP
3.Host OS type
4.Amount of logs indexed.
With
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" |stats sum(kb) by hostname,sourceHost,os |sort -sum(kb) | rename sourceHost AS HostIP, hostname AS HostName, os AS OSType
And you can do sourcetype with:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | stats sum(kb) by series |sort -sum(kb)
But you cannot get sourcetype by host. At least I can't figure out how to do it.
Hi Luke,
i was actually running the first search but over group=per_host_thruput. I will surely run your search..but in my environment, i have 8 universal forwarders but in hostname filed in _internal index it is showing only 3. Why is this happening. Any idea??
Also, how can i list the saved searches in a report?
Please help!!
Try this:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" | fillnull value=null | dedup hostname| stats count by os | rename os AS OSType
yeah it is working now.. Luke if i have to display
what modification should i made in the baove search.
Try adding fillnull value=null before stats.
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" | fillnull value=null | stats sum(kb) by hostname,sourceHost,os |sort -sum(kb) | rename sourceHost AS HostIP, hostname AS HostName, os AS OSType
I am just running the search that you specified.
What search are you running exactly when you look for hosts?
All the universal forwarder are sending logs to indexer directly.
Are all hosts sending data to the indexer, or are some of the hosts sending data to other universal forwarders and then on to the indexer?
I am using universal forwarders
Regarding the hosts, are you using heavy forwarders?
I am searching for the hosts over the whole time span.
Also i want to display search names and if i have done any modification in inbuilt searches.
You want to list the search names, or you want to report the search results?
As for the hosts, first verify that you have data from the missing hosts in the timeframe you're searching.
Done luke. :). I would be really helpful if you could also guide me in solving the problem of discrepenancy of no of actual hosts and listed in _internal.
All the searches that i have created in splunk, i want to show them in a report.
For starters, if you like my answer then you could upvote it:)
What do you mean when you say "list the saved searches" exactly?
You can do:
1.Host Name
2.Host IP
3.Host OS type
4.Amount of logs indexed.
With
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group="tcpin_connections" |stats sum(kb) by hostname,sourceHost,os |sort -sum(kb) | rename sourceHost AS HostIP, hostname AS HostName, os AS OSType
And you can do sourcetype with:
index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput | stats sum(kb) by series |sort -sum(kb)
But you cannot get sourcetype by host. At least I can't figure out how to do it.
Group per_host_thruput will list the host in the field "series".
Group tcpin will list the host in the field hostname.
Are you sure that the hosts have sent data in the time frame that you are searching?
Why don't you just download the deployment monitor app? It has all of that pre-built.
This does not show sourcetype thruput by host, nor does it show the host IP.
just to clear more on the parameters 'host name', 'host ip', 'host os type' are the details of the host from which logs are coming.