Dear Experts,
We are looking for a search where we can find new hosts that are sending logs to Splunk. I am stuck and don't know where to start.
Any help. Thanks in advance
Hi,
Did any of the answers below help you?
If so, could you please mark it as answered so that we can close the thread?
Thanks,
J
You could try this if you just want to show those new hosts that have reported for the first time since yesterday:
| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-1d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, Count
Simply modify the relative_time parameters to match your time range needs.
hi sumitkathpal,
You can see which hosts are sending logs to Splunk with this simple search:
index=_internal
If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:
index=_internal NOT [ | inputlookup my_hosts.csv | fields host ]
in this way you can find if an host is or not in your lookup.
Bye.
Giuseppe