Howdy. For quite a while we have been using this to generate a useful and pretty list of all Windows Server hosts, showing also the last time they reported to Splunk.
|metadata type=hosts index=ms_evt_security| convert timeformat=" %m/%d/%Y" ctime(*) none(host) none(type) none(totalCount) |rename firstTime AS first, recentTime AS last, totalCount as total | table host,first,last,total | sort – total
Unfortunately -- metadata does not include some key attributes of the server that we need for additional analysis. One of those fields is the TargetDomainName.
So...instead of the quick and pretty metadata search, I tried using this:
index=ms_evt_security | stats count by host TargetDomainName | dedup host
But...this will either take 3 hours to run (especially if we are interested learning when a host stopped reporting, say 2 months ago), and it also does not provide the "first reported" and "last reported" data.
I'd love some suggestions as to how I might "simply" integrate the TargetDomainName field from the log data, into the metadata listing.
Thanks,
Steve
... View more