How to write a search to report hosts, counts of s...

Ronvgraham · ‎08-27-2014

I would like to be able to create/run a report that would show me the hosts, sourcetypes for each host, and the sources for each sourcetype. For the sourcetypes and sources, I would like to have beginning date, and end date for each along with a count. Similar to what I find on the data summary page on the main search page but in a more hierarchical structure. It would look something like this:

Host(s)->Sourcetypes->Sources with Begin Date, End Date and Count for Sourcetypes and Sources

Does a report like this exist in any of the splunk apps or is there a way to create this easily? As we expanded to have multiple indexers, this would be very valuable in documenting what is on each of the indexers for the team and key employees through the institution. It would also be helpful for identifying information that does not need to be indexed or is missing on each of the servers.

Thank you for any help you can provide

Ayn · ‎08-27-2014

Well not strictly exactly the output format you're after, but you can have lots of fun with tstats. This would be one idea:

| tstats earliest(_time) as begin_date,latest(_time) as end_date, count by host,sourcetype,source | convert ctime(begin_date) ctime(end_date)

Ronvgraham · ‎08-27-2014

It appears this will do what I am looking for. I will work on the formatting -- Thank you for the answer.

How to write a search to report hosts, counts of sources and sourcetypes with beginning and end dates?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio