Solved: How to check if new hosts get added to instance & ...

abhijit_mhatre · ‎09-19-2016

The number to hosts have increased in our instance & we want to check which ones are the new ones added. Also we want to get alerted on a weekly basis if a new host gets added. Can anyone let me know the query to check the newly added hosts?

Thanks in Advance.

inventsekar · ‎09-19-2016

i am not sure if there is any direct way available for this one.. but, we can find out the first message from a host and approximately, we can assume that date as the host added date.
i am querying only head 100 hosts(oldest 100 hosts).. we can use tail 100 to get most recent 100 hosts.

| metadata type=hosts | head 100
 | fields host firstTime lastTime totalCount
 | sort -totalCount
 | fieldformat firstTime=strftime(firstTime,"%x %X")
 | fieldformat lastTime=strftime(lastTime,"%x %X")

View solution in original post

inventsekar · ‎09-19-2016

i am not sure if there is any direct way available for this one.. but, we can find out the first message from a host and approximately, we can assume that date as the host added date.
i am querying only head 100 hosts(oldest 100 hosts).. we can use tail 100 to get most recent 100 hosts.

| metadata type=hosts | head 100
 | fields host firstTime lastTime totalCount
 | sort -totalCount
 | fieldformat firstTime=strftime(firstTime,"%x %X")
 | fieldformat lastTime=strftime(lastTime,"%x %X")

inventsekar · ‎09-21-2016

Hi abhijit, if you want to query date wise, lets say, new hosts added last week, then -
tested and working fine..

 | metadata type=hosts |eval SevenDaysBack = relative_time(now(), "-7d@d") 
 | where firstTime > SevenDaysBack 
 | eval hostAdded=strftime(firstTime, "%d-%m-%Y %H:%M") 
 | table host, hostAdded | sort hostAdded

abhijit_mhatre · ‎09-21-2016

Thanks @inventsekar for your help 🙂

How to check if new hosts get added to instance & get alerted?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life