Splunk Search

Stats summary help? Only linux systems showing up

dave_rook
Engager

I'm using this query right now:
stats count by host, source, date_mday

It only lists Linux hosts but lists the data exactly as I need. We've got a bunch of Windows boxes and I'm not sure exactly why the filtering is happening. I'm guessing because of date_ mday. The reason I'm using date_ mday is because I want to break down the count of log data by host and by source so that I can make sure I'm collecting everything as expected. Should I be using something based off _time? Is there a better way to get the summary I'm looking for?

I'm guessing this is something fairly simple, but I'm pretty new to splunk.

0 Karma

lguinn2
Legend

date_mday is created by Splunk, based on the time. This field exists for all events, regardless of source.

What you are showing is just the command part of a search string. Can you show the entire search string?

In the meantime, are any other queries working? When you login to Splunk, do you see any Windows data on the Summary page? Is the Windows data perhaps in a different index?

lguinn2
Legend

Weird. Well, try this:

splunk_server="SERVERNAME" |
eval date_mday = tonumber(strftime(_time,"%d")) |
stats count by host source date_mday

0 Karma

dave_rook
Engager

When I use the same search string without date_mday, the Windows sources show up as I'd expect.

The only other detail is that I'm limiting my search to a specific splunk server to limit the scope of my search:
splunk_server="SERVERNAME" | stats count by host, source, date_mday

I did set a date restriction (2012-02-01 00:00:00 to now). I'm not aware of any other input I might be excluding, as this is all I'm specifying in splunk.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...