I want to fetch what all devices integrated to splunk and sending logs. I don't have admin rights and having access to Search Head only.
Pls advise how to fetch host integrated details with hostname, index, sourcetype and source.
Try these:
| tstats count values(sourcetype) where index=* BY index
And:
| tstats count values(host) where index=* BY sourcetype
Or maybe combined like this:
| tstats count where index=* BY host sourcetype index
| stats list(count) AS host_total list(host) AS host sum(count) AS sourcetype_total BY sourcetype index
| nomv host
| nomv host_total
| stats list(host) AS host list(host_total) AS host_total sum(sourcetype_total) AS sourcetype_total BY index
Try these:
| tstats count values(sourcetype) where index=* BY index
And:
| tstats count values(host) where index=* BY sourcetype
Or maybe combined like this:
| tstats count where index=* BY host sourcetype index
| stats list(count) AS host_total list(host) AS host sum(count) AS sourcetype_total BY sourcetype index
| nomv host
| nomv host_total
| stats list(host) AS host list(host_total) AS host_total sum(sourcetype_total) AS sourcetype_total BY index
Thanks a lot woodcock. It really helps
When you are done gathering answers, be sure to pick one and click Answer
to close it out.
Run this
| metasearch index=* sourcetype=*
| table index source host sourcetype
Hi skoelpin, Thanks for your help. Need another help. It's a huge data with redundancy.. can you tell me if result can have distinct values