topic Re: Sourcetype Identification in Getting Data In

Sourcetype Identification

Sandy — Thu, 27 Jan 2022 12:40:07 GMT

Hi,

There is some host which is reporting to Splunk with a different sourcetype. We want to filter all the host which is only reporting for XYZ sourcetype. And host needs to be shown if it's reporting for XYZ sourcetype along with any other sourcetype. could you please help us on this query.

Re: Sourcetype Identification

jotne — Thu, 27 Jan 2022 12:48:40 GMT

Here is what I do:

your search
| eval test=if(sourcetype="xyz",1,0)

Then you have a field that is 1 for xyz sourcetype and 0 for all other.

Re: Sourcetype Identification

Sandy — Thu, 27 Jan 2022 13:10:07 GMT

Hi Jotne,

We see that for all the host it is showing as 0 only, could you please guide me what changes required.

Re: Sourcetype Identification

PickleRick — Thu, 27 Jan 2022 13:49:25 GMT

Let me rephrase this because it's not obvious what you need.

I understand that you have a bunch of hosts (let's say host1, host2, ... hostn) from which you're receiving various events with various sourcetypes.

And you want to know if - for each host - sourcetypes for events from this host include XYZ or not.

So effectively you need a table like

Host	Sends XYZ
host1	Yes
host2	no
...
hostn	no

If so, you might do

| tstats values(sourcetype) as sourcetypes where index=* by host
| eval SendsXYZ=if(sourcetypes="XYZ","Yes,"No")
| fields - sourcetypes

Of course if you want to limit your search to a subset of your indexes, you might edit the index=* condition.

Re: Sourcetype Identification

jotne — Thu, 27 Jan 2022 15:40:58 GMT

Post some example data and how you like the result to be.

Re: Sourcetype Identification

Sandy — Thu, 27 Jan 2022 16:38:47 GMT

Pleas find the exact requirement below:

Consider same hosts like (Host1, Host2, Host3) and sourcetypes like (abc, def, xyz) which have a reporting table as below,

Host Name	Sourcetype Reporting
Host1	abc, xyz
Host2	xyz
Host3	abc, def, xyz

Here, as you see, Host1 & Host3 are reporting to other sourcetype as well apart from xyz. I want to filter the host having only xyz as the sourcetype. So, in this case it would be Host2.

Re: Sourcetype Identification

PickleRick — Thu, 27 Jan 2022 17:08:38 GMT

Ok. So my solution was relatively close. The firsf part was ok. That's how you get the aggregation

| tstats values(sourcetype) as sourcetypes where index=* by host

This will give you a table very similar to the one you posted.

Now all you need to do is to filter it to only include the ones that have anything else than xyz.

To be fully precise, you want the ones that might include xyz but not as a single value but when you join it with the requirement that there must be a sourcetype for every event (so you won't get empty sourcetypes from the aggregation above), you just need to find those entries which contain a value that is different than xyz.

| where sourcetypes!="xyz"

Luckily the match for multivalued fields is evaluated on every value from such field and matches if the condition is fulfilled for anymof the values.

Re: Sourcetype Identification

isoutamo — Thu, 27 Jan 2022 17:10:57 GMT

Then you could try something like this (please check syntax as I haven’t splunk on my hands to check it)

| tstats count values(sourcetype) as sts where index=* AND sourcetype="<your sourcetype>" by host | where count > 0 AND mvcount(sts) = 1 | fields - count sts

r. Ismo