- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count of UF reporting by serverclass over time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count of UF reporting by serverclass over time
I can look in the _internal index on the deployment server to get this log
xxxx.xxx.xxx.xxx - - [24/Sep/2014:10:09:39.751 -0500] "POST /services/broker/phonehome/connection_X.X.X.X_8089_AnyServer.MyDomain.com_AnyServer_ServerClass HTTP/1.0" 200 1468 - - - 44ms
So I can see the Server name and the serverclass of the system. I can create a search like this:
host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count AS "Num Systems"
My problem is that for the 3 month I have over 15 million records for the phonehome log from my more than 600 systems.
Anyone know of a faster way to search for hosts connected by month to the deployment server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to use the REST interface to get what you want a little more elegantly, as was suggested to me in this answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pmdba Thanks for the sugestion. I tried this search
| rest /services/deployment/server/clients | table clientName hostname
and this one
| rest /services/deployment/server/clients
and it returned no results over a month
I tried this one too,
|eventcount summarize=false index=* | table index | map maxsearches=1000 search="|metadata type=hosts index=$index$ | table host | eval index=\"$index$\""
and it gave me all the host that had ever recorded data to the system to any index and no time intervel to sort on or compair to last month
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Expected result?
Client IP: count of connections?
Client IP: count of serverclasses?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in one case I would like all servers reporting per month over time. this will show a trend of added servers.
In another case I would like number of servers by serverclass over time. each server class is an operational origination. this will show which org is putting in the most systems over time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry if I do this I can get a count by serverclass
host="DeploymentServer" index="_internal" sourcetype="splunkd_access" "POST /services/broker/phonehome/connection" serverclass=* earliest=-3mon@mon latest=@mon| dedup clientip | timechart span=1m count by serverclass
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
