I have what I think should be a simple search, but I'm not quite able to come up with a way to do it. Ultimately I guess this is simply summing the total sources per host.
I'm trying to count the number of unique sources Splunk has used over the last, say 30 days. when I say unique sources, I mean that it would count
host1: /a/b/c, /d/e/f host2: /a/b/c, /d/e/f host3: /a/b/c, /d/e/f
as 6 separate sources even though the actual source name is the same. I had tried looking at the total sources in "metadata" but that looks at more sources than I'm looking for.
I don't need a breakdown by host, or a listing of the sources -- just a total count.
It seems like I'd want to somehow combine the hostname and the source name into one text field and then count the number of unique instances of that?
Thanks very much.
the metadata
command does list the more recent time that data was written to the source, so you could just filter on that, except that it doesn't split out by host. The only way to do what you want unfortunately (and it's slow) is something like:
* | stats count by host,source | stats count
If you need to query this a lot, you should build a (daily or hourly) summary index of * | sistats count by host,source
and query stats count
out of that.
the metadata
command does list the more recent time that data was written to the source, so you could just filter on that, except that it doesn't split out by host. The only way to do what you want unfortunately (and it's slow) is something like:
* | stats count by host,source | stats count
If you need to query this a lot, you should build a (daily or hourly) summary index of * | sistats count by host,source
and query stats count
out of that.
This isn't something I need to run regularly so I can handle the long-running search. Thanks very much for the response!
This is another place where it would be nice search just the index without actually incurring the overhead of loading the raw data for each event. But for now, I'd suggest making sure that the event typer and lookups are disabled when creating a saved search for this. (Splunk should be able to disable a bunch of field extractions too, hopefully.)