Solved: How can I search for a list of all 50 hosts on my ...

imagecartel · ‎08-23-2017

Instead of typing in each host one by one in the data field to see when it was last updated, is there a way to run a command search to show me, lets say, all 50 hosts on my network with the last date it was powered on and talked to the gateway/router/network? I want to be able to quickly find all machines that have not been turned on in a while to see if those machines are standalone or machines that are no longer used and can be removed. Is there an event code for sourcetype=network IP access?

DalJeanis · ‎08-23-2017

Try something like this...

 | metadata type=hosts  | rename lastTime AS _time | fields _time host | search [| inputcsv myhosts.csv | table host]

To find any that are missing, you might want to add this...

 | append [| inputcsv myhosts.csv | table host | eval _time=strptime("2000-01-01","%Y-%m-%d")]
 | stats max(_time) by host
 | sort 0 _time

View solution in original post

DalJeanis · ‎08-23-2017

Try something like this...

 | metadata type=hosts  | rename lastTime AS _time | fields _time host | search [| inputcsv myhosts.csv | table host]

To find any that are missing, you might want to add this...

 | append [| inputcsv myhosts.csv | table host | eval _time=strptime("2000-01-01","%Y-%m-%d")]
 | stats max(_time) by host
 | sort 0 _time

imagecartel · ‎08-23-2017

This is what worked:
| metadata type=hosts | rename lastTime AS _time | fields _time host | search host=1 OR host=2 OR host=3 and so on

Thanks Daljeanis

DalJeanis · ‎08-23-2017

Yes, that's what we were going for. Putting it in a csv file is usually easier for large numbers of machines (like when you have 50 of them).

The construction [| inputcsv myhosts.csv | table host] will create language that looks like this for each field host in the csv...

    ( ( host="host1" )  OR  ( host="host2" )  OR .... )

to see exactly what it looks like, do this...

 | inputcsv myhosts.csv | table host | format

...or use this run-anywhere sample...

|makeresults | eval host=mvappend("host1","host2","host3") | mvexpand | format

somesoni2 · ‎08-23-2017

What's your splunk search to get status of single host?

imagecartel · ‎08-23-2017

Splunk main page; Data Summary; type in host=xyz. Results show last time host was active on the network. If I have 100 host to check, is there an easier way instead of typing in 100 hosts manually in the Data Summary? Can I type in a command with inserting all host names to spit out the results they were all last active?

somesoni2 · ‎08-23-2017

You can run a search like this.

| metadata type=hosts index=* | search [| gentimes start=-1 | host="host1 host2 host3...put all hosts space separated here.." | table host | makemv host | mvexpand host ] | table host totalCount recentTime | eval recentTime=strftime(recentTime,"%F %T") | rename host as "Host" totalCount as Count recentTime as "Last Update"

imagecartel · ‎08-23-2017

It does not like the command host in ( start=-1 | host )

somesoni2 · ‎08-23-2017

Oops, try this (missed writing eval)

| metadata type=hosts index=* | search [| gentimes start=-1 | eval host="host1 host2 host3...put all hosts space separated here.." | table host | makemv host | mvexpand host ] | table host totalCount recentTime | eval recentTime=strftime(recentTime,"%F %T") | rename host as "Host" totalCount as Count recentTime as "Last Update"

How can I search for a list of all 50 hosts on my network with the most recent date it was powered on?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...