query to grab the metadata of the host entered by ...

kteng2024 · ‎01-08-2018

Hello,

Can someone please help me to build a query that will display hostname , IP address , last reported by the forwarder.
If i use the index= star host= star , that will be too much load on the indexers . Is there any better way to grab those metrics.

mayurr98 · ‎01-08-2018

hey try this

| tstats max(_time) as lastReported WHERE index=* by host | eval LastReported=strftime(lastReported,"%m/%d/%y %H:%M:%S") | table LastReported host  | join host [ search index=_internal hostname=* | stats count by sourceIp hostname | rename hostname as host]

Let me know if it works!

somesoni2 · ‎01-08-2018

You can use tstats to get host and last reported by forwarder.

| tstats max(_time) as lastReported WHERE index=* by host

If you've dnslookup external lookup setup, you add that to above query to get the IP address.

kteng2024 · ‎01-08-2018

Thank you for the reply. i have edited the query to convert epoch time to human readable format.Since we don't have external dnslookup , i am relying on internal index. But query couldn't display the sourceIP.

query to grab the metadata of the host entered by the user

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!