Splunk search for Most active linux hosts
Copy
sourcetype=linux_secure | rex "\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}\s(?<hostname>\S+)" | top limit=10 hostname
This search will simply provide the linux hosts that are reporting the most events into Splunk. This search does not take into consideration license usage or amount of data, purely the number of raw events ingested.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment