Splunk Search

Count of UF reporting by serverclass over time

hartfoml
Motivator

I can look in the _internal index on the deployment server to get this log

xxxx.xxx.xxx.xxx - - [24/Sep/2014:10:09:39.751 -0500] "POST /services/broker/phonehome/connection_X.X.X.X_8089_AnyServer.MyDomain.com_AnyServer_ServerClass HTTP/1.0" 200 1468 - - - 44ms

So I can see the Server name and the serverclass of the system. I can create a search like this:

host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count AS "Num Systems"

My problem is that for the 3 month I have over 15 million records for the phonehome log from my more than 600 systems.

Anyone know of a faster way to search for hosts connected by month to the deployment server?

0 Karma

pmdba
Builder

You should be able to use the REST interface to get what you want a little more elegantly, as was suggested to me in this answer.

0 Karma

hartfoml
Motivator

@pmdba Thanks for the sugestion. I tried this search

  | rest /services/deployment/server/clients | table clientName hostname

and this one

| rest /services/deployment/server/clients 

and it returned no results over a month
I tried this one too,

|eventcount summarize=false index=* | table index | map maxsearches=1000 search="|metadata type=hosts index=$index$ | table host | eval index=\"$index$\""

and it gave me all the host that had ever recorded data to the system to any index and no time intervel to sort on or compair to last month

0 Karma

sowings
Splunk Employee
Splunk Employee

Expected result?

Client IP: count of connections?

Client IP: count of serverclasses?

0 Karma

hartfoml
Motivator

in one case I would like all servers reporting per month over time. this will show a trend of added servers.

In another case I would like number of servers by serverclass over time. each server class is an operational origination. this will show which org is putting in the most systems over time.

0 Karma

hartfoml
Motivator

sorry if I do this I can get a count by serverclass

host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count by serverclass

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...