Splunk Search

How to write a search to find new hosts that are sending logs to Splunk?

sumitkathpal
Explorer

Dear Experts,

We are looking for a search where we can find new hosts that are sending logs to Splunk. I am stuck and don't know where to start.

Any help. Thanks in advance

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

Did any of the answers below help you?
If so, could you please mark it as answered so that we can close the thread?

Thanks,
J

0 Karma

javiergn
SplunkTrust
SplunkTrust

You could try this if you just want to show those new hosts that have reported for the first time since yesterday:

| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-1d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, Count

Simply modify the relative_time parameters to match your time range needs.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi sumitkathpal,
You can see which hosts are sending logs to Splunk with this simple search:

index=_internal

If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:

index=_internal NOT [ | inputlookup my_hosts.csv | fields host ]

in this way you can find if an host is or not in your lookup.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...