|
I have what I think should be a simple search, but I'm not quite able to come up with a way to do it. Ultimately I guess this is simply summing the total sources per host. I'm trying to count the number of unique sources Splunk has used over the last, say 30 days. when I say unique sources, I mean that it would count host1: /a/b/c, /d/e/f host2: /a/b/c, /d/e/f host3: /a/b/c, /d/e/f as 6 separate sources even though the actual source name is the same. I had tried looking at the total sources in "metadata" but that looks at more sources than I'm looking for. I don't need a breakdown by host, or a listing of the sources -- just a total count. It seems like I'd want to somehow combine the hostname and the source name into one text field and then count the number of unique instances of that? Thanks very much. |
|
the If you need to query this a lot, you should build a (daily or hourly) summary index of This is another place where it would be nice search just the index without actually incurring the overhead of loading the raw data for each event. But for now, I'd suggest making sure that the event typer and lookups are disabled when creating a saved search for this. (Splunk should be able to disable a bunch of field extractions too, hopefully.)
(24 Jun '10, 22:58)
Lowell ♦
This isn't something I need to run regularly so I can handle the long-running search. Thanks very much for the response!
(25 Jun '10, 13:44)
mfrost8
|
