I want to produce a search that returns basic information about our indexes, specifically the index name, the splunk_server(s) that have the index data, and the hosts that provided the data.
Right now I have this search:
index=* | dedup index splunk_server host | table index splunk_server host
This returns a very large table where each row contains a single "host" entry:
index splunk_server host
index_a server001 client001
index_a server001 client002
index_a server001 client003
index_a server002 client001
index_a server001 client002
index_b server001 client001
What I would like is to group all of the hosts together when the index and splunk_server match.
index splunk_server host
index_a server001 client001, client002, client003
index_a server002 client001, client002
index_b server001 client001
Adding the mvcombine option helps:
index=* | dedup index splunk_server host | sort index splunk_server | mvcombine delim="," host | table index splunk_server host
..but, there are still many places where the index+splunk_server are the same but the hosts between these lines aren't combined.
Any ideas?