How to write a search to find new hosts that are s...

sumitkathpal · ‎01-04-2017

Dear Experts,

We are looking for a search where we can find new hosts that are sending logs to Splunk. I am stuck and don't know where to start.

Any help. Thanks in advance

javiergn · ‎01-26-2017

Hi,

Did any of the answers below help you?
If so, could you please mark it as answered so that we can close the thread?

Thanks,
J

javiergn · ‎01-04-2017

You could try this if you just want to show those new hosts that have reported for the first time since yesterday:

| metadata type=hosts index=_* OR index=*
| where firstTime >= relative_time(now(), "-1d")
| convert timeformat="%Y-%m-%d %T" ctime(firstTime) as firstTime, ctime(lastTime) as lastTime, ctime(recentTime) as recentTime
| table host, firstTime, lastTime, recentTime, Count

Simply modify the relative_time parameters to match your time range needs.

gcusello · ‎01-04-2017

hi sumitkathpal,
You can see which hosts are sending logs to Splunk with this simple search:

index=_internal

If you want to verify if there are new hosts you have to insert your hosts in a lookup and search for them:

index=_internal NOT [ | inputlookup my_hosts.csv | fields host ]

in this way you can find if an host is or not in your lookup.
Bye.
Giuseppe

How to write a search to find new hosts that are sending logs to Splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life