Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Find hosts matching naming criteria in Splunk?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sm600
Explorer
06-25-2015
12:32 PM
We use this search quite a bit, and love it. In this example it provides a list of all hosts (servers) reporting to splunk in a specific index...
|metadata type=hosts index=ms_ad_log| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort - total
But...I need to narrow this search to a specific set of hosts that are named IAA -- and using this search criteria doesn't seem to work....
|metadata type=hosts index=* host=*IAA*| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort - total
Any ideas?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
06-25-2015
02:14 PM
Hi sm600,
@sk314 got it almost correct 😉 Try this:
| metadata type=hosts index=*
| search host=IAA*
| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount)
| rename firstTime AS first, recentTime AS last, totalCount as total
| table host,first,last,total
| sort - total
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
06-25-2015
02:14 PM
Hi sm600,
@sk314 got it almost correct 😉 Try this:
| metadata type=hosts index=*
| search host=IAA*
| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount)
| rename firstTime AS first, recentTime AS last, totalCount as total
| table host,first,last,total
| sort - total
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk314
Builder
06-25-2015
02:22 PM
Not again! 😐 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sm600
Explorer
06-25-2015
05:29 PM
Thanks...adding
|search host=*iaa*|
worked perfectly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk314
Builder
06-25-2015
02:05 PM
Did you try using host=IAA* ?
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
