How do I list all sources on a specific host?

toomanyedwards · ‎11-20-2013

Hi all, How do I show all sources for a specific host? I can query for a specific host a la: host="myhost" and then hit "source" in the sidebar, but that only shows the top ten sources on that host. I don't know how to see more than that. I have seen an example of how to list all sources for all hosts by host, but that's extremely long running in our environment and not really what we need. I just need to see the sources for specific hosts to verify that our indexing config is setup correctly and the logs that we want to be indexed are showing up as sources. I'm guessing this is any easy one, but I am splunk noob and haven't been able to figure it out. Any help is appreciated. Thanks!

-e

jonahcofer · ‎11-20-2013

host="hostname" | stats count by source

somesoni2 · ‎11-20-2013

This should be the fastest method per my knowledge

|metasearch host="<yourhostname>"

This search will provide following fields:-

host,source,sourcetype,index,splunk_server

From which you can use source field for your requirement.

lukejadamec · ‎11-20-2013

The full search would look like this:
|metasearch host="" | dedup source | table source

jrich523 · ‎11-20-2013

host="abc" | dedup source | table field source

How do I list all sources on a specific host?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk