Try this
| tstats values(host) where index=* earliest=0
Above will give you a multivalue field. Personally, I prefer the below
| tstats count where index=* earliest=0 by host
To add to @PowerPacked 's correct answer, I am assuming you are seeing this in the "Selected Fields" sidebar. If so, click "host" there, "Top values", then ensure you have "limit=0" as a parameter to the top command, e.g.:
< your base search >
| top limit=0 host
If you only want to see all hosts, the fastest way to do that is with this search (tstats is extremely efficient):
| tstats values(host)
| top limit=0 host
worked but
| tstats values(host)
only entering that in the search showed a bunch of hosts i've never seen and couldn't open at all.
I'm not following when you say you "couldn't open at all". The tstats
command quickly looks at certain fields such as index, host, and _time stored separately from the raw data. Here's another version of the command that will also show the last time data was reported for each index (building on @chinmoya 's answer):
| tstats count latest(_time) as _time by host
Finally, this is how you would get all events if you are unfamiliar with a specific host. Be sure you run the command with the same time-frame as the previous search.
index=* host=[host_XYZ]
If you're still having trouble, I highly recommend taking the free ~5-hour Splunk Fundamentals I training. You can find more information here: https://www.splunk.com/en_us/training/courses/splunk-fundamentals-1.html
Means when you click on the hosts and click "View events" or one of the other options. It opens another tab and immediately closed. | tstats values(host) only shows 100 hosts and none are the ones I use. Same thing with | tstats count latest(_time) as _time by host. Cant click on the results and it doesn't show the hosts I use.
It returned 79,227 events. Could I possibly have that many hosts? I don't need access to more than like 30.
Hi
You didn't properly mention where you are seeing this behavior.
you can always do stats to list all values in field --- your search | stats count by host
if you are facing issue in timechart, chart command , use this -- ----- your search | timechart count by host useother=f usenull=f
Thanks