Splunk Search

Count the movement (add remove) of hosts

smudge797
Path Finder

If I add 1 host and remove another host in a month, the stats will be the same and the delta zero but we had movement. Thats what im trying to track. This is what i have so far:

| timechart span=1m dc(Host_Name) as Count_Of_Hosts
| streamstats window=2 last(Count_Of_Hosts) AS Last, first(Count_Of_Hosts) AS First
| eval Delta=Last-First

0 Karma

woodcock
Esteemed Legend

You should not post the same question twice. You should take time to clearly formulate it before you post it and update the original question as needed. See my answer here:

https://answers.splunk.com/answers/412098/how-to-search-the-count-of-addsremoves-new-hosts-v.html#an...

martin_mueller
SplunkTrust
SplunkTrust

In order to build a fairly reliable search you'll have to tell us what your events look like, how often they occur, under what condition a host is considered to be added or removed, and so on.

Some early thought on your attempt, going by the distinct count is troublesome. If you add host A and remove host B, your distinct count doesn't change. Depending on your number of hosts and the sample rate of their events this statistically won't be avoidable. You will need to track adds and removes per host, and then count those add/remove events.

0 Karma

smudge797
Path Finder

Hi Martin,
What you have described with distinct count is the challenge for me. The events come in a csv input once month which is then summarized. This is a sample event,

2016/05/01,9810440,Infrastructure,Distributed Storage,Backup,Backup,Backup,0.05,DCI Backup,USER SERVICES (blah),WORKSPACE SERVICES (blah),WORKSPACE SERVICES (blah),1580962,S1005WIF790,182976,ORG TRANSFER - TELEPHONY 802,$0 ,0

Cost = $0
Cost Center = 123456
Cost_Center = Distributed Storage
Date = 2016/05/01
Feed_Name = blah Backup
Host_Name = myhost
Org L4 = USER SERVICES (blah)
Org L5 = WORKSPACE SERVICES (blah1)
Org L6 = WORKSPACE SERVICES (bah2)
Org_Description = ORG TRANSFER - TELEPHONY 123
Org_L5 = Backup (Blah5)
Org_L6 = 0.05
PPGL1 = Infrastructure
PPGL2 = Distributed Storage
PPGL3 = Backup
PPGL4 = Backup
Product = Backup
Standard Price = 0.05
Volume = 0
date_mday = 1
date_month = may
date_wday = sunday
date_year = 2016
date_zone = -240
field1 = 2016/05/01
field2 = 9810440
host = myindexer
index = blahblah
linecount = 1
punct = //,,_,_,,,_(),.,_,___(),__(),___(),,,,__-__,$_,
source = May billing detail.csv
sourcetype = blah
splunk_server = myindexer indexer
tag = index
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...