Hi all,
I have around 8 hosts in my splunk and i searching for a report which will list out
Please help in search query.
Lohit
this works
index=_internal (source=/metrics.log OR source=\metrics.log) |dedup os,hostname| stats count(hostname) by os
this works
index=_internal (source=/metrics.log OR source=\metrics.log) |dedup os,hostname| stats count(hostname) by os
Also i have devised below query to counr the no of ocurences of OS.
index=_internal (source=/metrics.log OR source=\metrics.log) group="tcpin_connections"| dedup os,hostname| stats count(hostname) by os
Could you please post a few sample lines form the metrics.log? I don't have one in front of me right now.
i have tried this query to list out the hostname,ip,os,total logs collected. Please tell me what can be the shortcoming of this query.
index=_internal (source=/metrics.log OR source=\metrics.log) group="tcpin_connections"| eval MB=kb/1024 | stats sum(MB) by hostname,sourceHost,os | rename hostname as Source sourceHost as SourceIP os as "Source OS" sum(MB) as "Total Events"
So what do you have in _internal
? Are there messages from the forwarders that contain the information on the OS?
splunkd.log messages will contain the OS information on startup of the forwarder, but that is probably not good enough, since _internal
is only retained for 30 days by default. Your forwarders may not reboot that often.
More to clarify.i am looking to build a report in following format.
OS type Total No of servers
Windows #
Linux #
yes i am usning universal forwarders but I donot want to use Depoloyment monitor and currently (Win and linux) are sources. I am trying to build a command on _internal index but not able to succeed so far as it is showing the occurences of events corespoinding to a os type. I have to write a query on total count of os field for hostname field.
What log sources do you have? If you are using forwarders and use the Deployment Monitor, you can easily see this info in the DM 'all forwarders' page.