Hi
I am trying to get a query to get the list of devices everyday when a new splunk client starts forwarding data for the first time?
Thanks & regards,
Sunnybmv
Try this
1) Create a saved search with following search query
| metadata type=hosts index=* | eval duration=now()-firstTime | where duration<87300 | rename host as Client firstTime as FirstReportedOn totalCount as EventReported | table Client FirstReportedOn EventReported
(in above query 87300 is 86400 (1 day) + 15 min, so it will list all the host that reported yesterday, for the first time)
2) Schedule this saved search to run at every night at 12:15 AM
cron schedule - 0 15 * * *
3) Setup appropriate alert action (sending email etc).