Getting Data In

Anyone have a good search to compare todays hosts against yesterdays?

daniel333
Builder

All,

I'd just like a report sent to me daily of list hosts names appearing in Splunk in the last 24 hours.

Guessing I have to search metadata twice and then diff them, but through someone might have an app or a search that does this already? No sense in reinventing the wheel. Basically just want a highly level of host name of what joined Splunk while I was out.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi daniel333,

give this a try:

| tstats dc(host) AS yesterday WHERE index=* earliest=-1d@d latest=-0d@d 
| append 
    [| tstats dc(host) AS today WHERE index=* earliest=@d latest=now ] 
| stats max(*) AS * 
| where yesterday != today

This will be lightning fast and only shows a result if the count of the hosts of yesterday and today is different.

Hope this helps ...

cheers, MuS

PS: the append is not a problem here as ling as you don't expect more than 50K hosts 😉

Update : this search will return the host[s]* that don't have events for both days:

| tstats dc(host) AS count WHERE index=* earliest=-1d@d latest=now by host _time span=1d 
| stats sum(count) AS total by host 
| where total != 2

maciep
Champion

doesn't dc() just return a single number?

0 Karma

MuS
SplunkTrust
SplunkTrust

Yes, it does and it looks like the question can be understood in multiple ways. I updated the answer to provide an example that will list the missing/different host[s]*

cheers, MuS

0 Karma

Sukisen1981
Champion

an app for this looks difficult to find. As far as the search is concerned, instead of searching twice why not use timewrap?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...