Solved: How do I write the same search that populates the ...

samir_silva · ‎11-05-2015

I need the event data from the "Data Summary" because I need to create a search to find when hosts stop sending logs to our Splunk server via UDP syslog.

Thanks.

jmedved · ‎11-05-2015

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

View solution in original post

jmedved · ‎11-05-2015

I'm pretty new to Splunk, but maybe this will help a bit. I think you need to use a metadata search. I have been using this to find dead log sources.

| metadata type=hosts index=mcafee | where recentTime < now() - 3600 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

Maybe you can modify that for your use case.

samir_silva · ‎11-16-2015

Thank you so much jmedved,

I used this search and It's working very well.

Thank you so much again.

| metadata type=hosts index=* | where recentTime < now() - 3600 | eval "Ultimo Envio" = strftime(recentTime, "%F %T") |fields + host "Ultimo Envio" | search host!="10.244.68.15" host!="172.26.142.131" host!="172.26.142.129"

How do I write the same search that populates the "Data Summary"?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life