Solved: How to filter out log volume data from certain hos...

raindrop18 · ‎12-14-2015

I have this search which is pulling a Splunk log volume usage report, but the index has logs from both production and lab environments, so I want filter out the hosts from the lab environment from this search. I have tried host=prd*, but that didn't work. Is there a way to filter by host name?

_internal source=*license_usage.log* type=Usage idx=web |   timechart  span=1h sum(b) as bytes | eval GB = round(bytes/1024/1024/1024,5) | fields _time GB

lguinn2 · ‎12-14-2015

The "host" field for the internal log is the name of the Splunk host - not the name of the host where the data came from!
In the license_usage.log, the name for the field you want is h.

So try this:

index=_internal source=*license_usage.log type=usage idx=web h="prd*"
| etc...

View solution in original post

lguinn2 · ‎12-14-2015

The "host" field for the internal log is the name of the Splunk host - not the name of the host where the data came from!
In the license_usage.log, the name for the field you want is h.

So try this:

index=_internal source=*license_usage.log type=usage idx=web h="prd*"
| etc...

raindrop18 · ‎12-15-2015

thanks a bunch, working as expected.

ppablo · ‎12-16-2015

Hi @raindrop18

I'm glad you were able to find what you needed with @lguinn's answer 🙂 Please don't forget to resolve this post by clicking "Accept" directly below her answer. Thanks!

Patrick

How to filter out log volume data from certain hosts in my search?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!