Solved: What is the most efficient way to search for uniqu...

victorstarosten · ‎10-23-2014

I need to find unique hosts consumed by a specific index.
I use the following search string:

index=my_index
|stats values(host)

As I understand, 'values' returns unique values for 'host'. This gives me what I need, but takes a loooooong time (3+ hours).
Is there a better way?

Thanks!

kristian_kolb · ‎10-23-2014

Yes, there is a faaar better way;

| metadata type=hosts index=your_index_here

EDIT: and yes. The search actually starts with a pipe.

/K

View solution in original post

kristian_kolb · ‎10-23-2014

Yes, there is a faaar better way;

| metadata type=hosts index=your_index_here

EDIT: and yes. The search actually starts with a pipe.

/K

martin_mueller · ‎10-23-2014

metadata is the way to go here, but if your stats requirements on indexed fields become more complex you should take a look at tstats: http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/tstats

For example

| tstats count where index=* by index sourcetype host

Will give you a blazingly fast summary of what your Splunk data looks like in those three dimensions.

victorstarosten · ‎10-23-2014

Perfect.

Thank you.

ppablo · ‎10-23-2014

I was just about to post that 🙂 Here's the documentation on the metadata command for future reference @victorstarostenko

Cheers!

What is the most efficient way to search for unique hosts by a specific index?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life