Splunk Dev

Compare log received from this week with log received from last week across all index all hosts

samlinsongguo
Communicator

I want to produce a table that show as below

hostname ThisWeek LastWeek Different
worksta1 223423 2434234 4323
worksta2 223423 2434234 4323
serve1 223423 2434234 4323

What is the best way to achieve that cross all indexs and all hosts?

In our environment we have about over 100 index and over 25000 workstation/servers so I cant ready do index=* to load everything.
I remember reading something about _internal index has all the information when message coming in is that the case?
What about if I do not have access to _internal index, is there any other way can do it?
I tried use |metadata type=hosts index=* but the problem is | metadate does not take earliest=-7d latest=now() so I cant put it into one search, I am doing something wrong?

Thanks in advance.

0 Karma
1 Solution

damien_chillet
Builder

Could you try this:

| tstats count as LastWeek where index=<your_index> earliest=-2w@d latest=-1w@d by host
| join host [ | tstats count as ThisWeek where index=<your_index> earliest=-1w@d latest=-0d@d by host]

View solution in original post

0 Karma

damien_chillet
Builder

Could you try this:

| tstats count as LastWeek where index=<your_index> earliest=-2w@d latest=-1w@d by host
| join host [ | tstats count as ThisWeek where index=<your_index> earliest=-1w@d latest=-0d@d by host]
0 Karma

samlinsongguo
Communicator

HI Damien
Thank you for your answer, but I think there may have a problem of the consume too much resource to run the query as I want to run across all my 100 indexes, which mean I have to do index=*. I understand tstats is faster then stats but would it still cost too long to finish up the query?
Thanks

0 Karma

damien_chillet
Builder

Well i think it's the best shot you have.
It depends how big your indexes are i guess?
You could try and just stop the job if it hangs for too long.

0 Karma

samlinsongguo
Communicator

Actually I test your query in our environment it seems working OK with tstats
Thank you very much for your help

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...