query to grab the metadata of the host entered by ...

kteng2024 · ‎01-08-2018

Hello,

Can someone please help me to build a query that will display hostname , IP address , last reported by the forwarder.
If i use the index= star host= star , that will be too much load on the indexers . Is there any better way to grab those metrics.

mayurr98 · ‎01-08-2018

hey try this

| tstats max(_time) as lastReported WHERE index=* by host | eval LastReported=strftime(lastReported,"%m/%d/%y %H:%M:%S") | table LastReported host  | join host [ search index=_internal hostname=* | stats count by sourceIp hostname | rename hostname as host]

Let me know if it works!

somesoni2 · ‎01-08-2018

You can use tstats to get host and last reported by forwarder.

| tstats max(_time) as lastReported WHERE index=* by host

If you've dnslookup external lookup setup, you add that to above query to get the IP address.

kteng2024 · ‎01-08-2018

Thank you for the reply. i have edited the query to convert epoch time to human readable format.Since we don't have external dnslookup , i am relying on internal index. But query couldn't display the sourceIP.

query to grab the metadata of the host entered by the user

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life