All,
I'd just like a report sent to me daily of list hosts names appearing in Splunk in the last 24 hours.
Guessing I have to search metadata twice and then diff them, but through someone might have an app or a search that does this already? No sense in reinventing the wheel. Basically just want a highly level of host name of what joined Splunk while I was out.
Hi daniel333,
give this a try:
| tstats dc(host) AS yesterday WHERE index=* earliest=-1d@d latest=-0d@d
| append
[| tstats dc(host) AS today WHERE index=* earliest=@d latest=now ]
| stats max(*) AS *
| where yesterday != today
This will be lightning fast and only shows a result if the count of the hosts of yesterday and today is different.
Hope this helps ...
cheers, MuS
PS: the append
is not a problem here as ling as you don't expect more than 50K hosts 😉
Update : this search will return the host[s]*
that don't have events for both days:
| tstats dc(host) AS count WHERE index=* earliest=-1d@d latest=now by host _time span=1d
| stats sum(count) AS total by host
| where total != 2
doesn't dc() just return a single number?
Yes, it does and it looks like the question can be understood in multiple ways. I updated the answer to provide an example that will list the missing/different host[s]*
cheers, MuS
an app for this looks difficult to find. As far as the search is concerned, instead of searching twice why not use timewrap?