Tips on creating a dashboard that reports the tota...

AJeepDude · ‎12-05-2017

I have a search "host=192.168.68.0/23|table host |dedup host" that gives me a list of IP addresses. I would like to turn this into a dashboard item that will report the total number of hosts in this network. How can I do that?

damien_chillet · ‎12-06-2017

The classic way:

  host=192.168.68.0/23 | stats dc(host) as host_count

A bit more advanced (and faster):

| tstats dc(host) as host_count where index=<your_index> sourcetype=<your_sourcetype> host=192.168.68.0/23

renjith_nair · ‎12-05-2017

If you are looking for just count, this should work

<your search>|stats count by host|fields count

Happy Splunking!

cpetterborg · ‎12-05-2017

Actually if you want only the count of the number of hosts, you would have to do:

<your search> |stats count by host | stats count

niketn · ‎12-05-2017

@AJeepDude, I am not sure how your query is working. In the base search you have filtered only one host then table host should give you only one result. Can you provide the index or sourcetype for your base search?

If you have to find the total number of hosts, you should better try dbinspect which gives hostCount or metadata or tstats command specifically for such statistics. Read the documentation and based on your needs coming up with desired query should be easy.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

damien_chillet · ‎12-06-2017

The search is not filtering to one host, it is a CIDR Notation.
Splunk handles CIDR notations.

All hosts with an IP address in the 192.168.68.0/23 (512 possibilities here) network should be returned!

Tips on creating a dashboard that reports the total number of hosts in the network?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk