Re: query to grab the metadata of the host entered...

kteng2024 · ‎01-08-2018

Hello,

Can someone please help me to build a query that will display hostname , IP address , last reported by the forwarder.
If i use the index= star host= star , that will be too much load on the indexers . Is there any better way to grab those metrics.

mayurr98 · ‎01-08-2018

hey try this

| tstats max(_time) as lastReported WHERE index=* by host | eval LastReported=strftime(lastReported,"%m/%d/%y %H:%M:%S") | table LastReported host  | join host [ search index=_internal hostname=* | stats count by sourceIp hostname | rename hostname as host]

Let me know if it works!

somesoni2 · ‎01-08-2018

You can use tstats to get host and last reported by forwarder.

| tstats max(_time) as lastReported WHERE index=* by host

If you've dnslookup external lookup setup, you add that to above query to get the IP address.

kteng2024 · ‎01-08-2018

Thank you for the reply. i have edited the query to convert epoch time to human readable format.Since we don't have external dnslookup , i am relying on internal index. But query couldn't display the sourceIP.

query to grab the metadata of the host entered by the user

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...