Solved: Number of hosts forwarding logs to indexer

rxdeleon · ‎07-06-2011

I would like to know the quickest way to count the number of hosts that have sent data to the indexer for the last 7 days.

gkanapathy · ‎07-06-2011

Well, the quickest will probably be:

| metadata type=hosts | where now()-recentTime < (7*24*60*60)

What it actually tells you is which hosts have a most recently sent event whose timestamp is within the last 7 days, though this is likely to be close to what you asked for if you are generally bringing in correctly timestamped data in real time.

View solution in original post

gkanapathy · ‎07-06-2011

Well, the quickest will probably be:

| metadata type=hosts | where now()-recentTime < (7*24*60*60)

What it actually tells you is which hosts have a most recently sent event whose timestamp is within the last 7 days, though this is likely to be close to what you asked for if you are generally bringing in correctly timestamped data in real time.

rxdeleon · ‎07-07-2011

Yes, this is a much quicker method. Thank you so much.

proctorgeorge · ‎07-06-2011

Does this search do it for you?

index=_internal source="C:\\Program Files\\Splunk\\var\\log\\splunk\\metrics.log" earliest=-7d@d | table sourceHost | dedup sourceHost | stats count

with the source path changed accordingly of course!

Number of hosts forwarding logs to indexer

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk