Active computers reporting to splunk last 30 days

cyler · ‎04-05-2018

I would like to know how to search for all computers that are reporting to Splunk in the last 30 day.

Thank you

cyler · ‎04-06-2018

Forgive my being naive - Here is what result I get back

DalJeanis · ‎04-06-2018

get rid of everything before the first pipe

elliotproebstel · ‎04-05-2018

You could try these:

| tstats latest(_time) AS latest where index=* by host

or
| metadata type=hosts
Either should work.

adonio · ‎04-05-2018

many ways to go about it ...
try this |metadata type=hosts
see the output of the command and start exploring ...
heres a link to the doc that has more elaborated examples:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Metadata
hope it helps

cyler · ‎04-06-2018

index=my_index* | metadata type=hosts

Error in 'metadata' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

adonio · ‎04-06-2018

please read the doc
metadata is a generating command has to be first
no need for index = something before
place this in your searchbae literally |metadata type=hosts

skulk · ‎04-05-2018

Hi,

You should ru search like this one (set time-range picker for last 30 days):

index=* | stats count by host

This search will show you all hosts and number of events from each other.

Active computers reporting to splunk last 30 days

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms