I can look in the _internal index on the deployment server to get this log
xxxx.xxx.xxx.xxx - - [24/Sep/2014:10:09:39.751 -0500] "POST /services/broker/phonehome/connection_X.X.X.X_8089_AnyServer.MyDomain.com_AnyServer_ServerClass HTTP/1.0" 200 1468 - - - 44ms
So I can see the Server name and the serverclass of the system. I can create a search like this:
host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count AS "Num Systems"
My problem is that for the 3 month I have over 15 million records for the phonehome log from my more than 600 systems.
Anyone know of a faster way to search for hosts connected by month to the deployment server?
You should be able to use the REST interface to get what you want a little more elegantly, as was suggested to me in this answer.
@pmdba Thanks for the sugestion. I tried this search
| rest /services/deployment/server/clients | table clientName hostname
and this one
| rest /services/deployment/server/clients
and it returned no results over a month
I tried this one too,
|eventcount summarize=false index=* | table index | map maxsearches=1000 search="|metadata type=hosts index=$index$ | table host | eval index=\"$index$\""
and it gave me all the host that had ever recorded data to the system to any index and no time intervel to sort on or compair to last month
Expected result?
Client IP: count of connections?
Client IP: count of serverclasses?
in one case I would like all servers reporting per month over time. this will show a trend of added servers.
In another case I would like number of servers by serverclass over time. each server class is an operational origination. this will show which org is putting in the most systems over time.
sorry if I do this I can get a count by serverclass
host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count by serverclass