Hi,
Is there a way to use the tstats
command to list the number of unique hosts that report into Splunk over time? I'm looking to track the number of hosts reporting in on a monthly basis, over a year.
a single one-liner should do the trick
| tstats dc(host) WHERE index=_internal by _time
Yes ofcourse there is, try this and run it over a 1 year period.. It may be slow depending on how many unique hosts you have and how many indexers you have. If you have to run this frequently, I'd recommend setting this up as a scheduled search to populate a summary index
| tstats prestats=f count WHERE index=* sourcetype=* by _time, host
| timechart span=1mon dc(host) AS unique_host_count
This might be a bit faster.
Trying to not use distinct count
here :
| tstats prestats=f count WHERE index=* sourcetype=* by _time, host span=1mon
| stats count AS distinct_host_count BY _time