topic Re: Query for devices/servers not reporting to Splunk in Getting Data In

How to search for devices/servers not reporting to Splunk?

waJesu — Wed, 31 May 2023 15:09:40 GMT

I have two queries I want to merge and I need expert help. The first one returns reporting devices as good and non-reporting devices as missing. The second one returns the missing devices with a heartbeat but not sending logs. Help me come up with one query that would show results for Good, Heartbeat and Missing:

| tstats latest(_time) as latest where index="*" earliest=-5d by host | eval recent = if(latest > relative_time(now(),"-15m"),"Good","Missing"), realLatest = strftime(latest,"%c") | tstats latest(_time) as latest where index="_*" earliest=-5d by host | eval recent = if(latest > relative_time(now(),"-15m"),"Heartbeat","Missing"), realLatest = strftime(latest,"%c")

Re: How to search for devices/servers not reporting to Splunk?

richgalloway — Thu, 01 Jun 2023 13:11:34 GMT

See if this helps.

| tstats latest(_time) as latest where (index="*" OR index=_internal) earliest=-5d by host | eval recent = case(index!=_internal AND latest > relative_time(now(),"-15m"),"Good", index!=_internal AND latest <= relative_time(now(),"-15m"), "Missing", index=_internal AND latest > relative_time(now(),"-15m"), "Heartbeat", 1==1, "Missing"), realLatest = strftime(latest,"%c")

Standard disclaimer: don't use index=* in production.

Re: Query for devices/servers not reporting to Splunk

waJesu — Wed, 31 May 2023 17:02:58 GMT

This is the error I am getting after running the query:

Re: Query for devices/servers not reporting to Splunk

richgalloway — Wed, 31 May 2023 17:31:30 GMT

I dropped a comma in my reply. It's fixed.

Re: Query for devices/servers not reporting to Splunk

waJesu — Thu, 01 Jun 2023 11:10:36 GMT

Thank you. I think you forgot to attach the corrected query.

Re: Query for devices/servers not reporting to Splunk

richgalloway — Thu, 01 Jun 2023 12:30:50 GMT

Didn't forget. The correction is in the original query.

Re: Query for devices/servers not reporting to Splunk

waJesu — Thu, 01 Jun 2023 12:47:27 GMT

I am not sure why it's returning "Missing only even on devices that are reporting. Maybe the query needs a tweak?

Re: Query for devices/servers not reporting to Splunk

richgalloway — Thu, 01 Jun 2023 13:12:01 GMT

Query has been tweaked.

Re: Query for devices/servers not reporting to Splunk

waJesu — Thu, 01 Jun 2023 13:29:21 GMT

Maybe I am missing something. It's still returning "Missing" for everything.

Re: Query for devices/servers not reporting to Splunk

richgalloway — Thu, 01 Jun 2023 14:33:09 GMT

Please have a look at the case function and verify the logic there meets your business requirements.

Re: Query for devices/servers not reporting to Splunk

waJesu — Thu, 01 Jun 2023 15:28:20 GMT

I think it does. We want the query to return devices sending logs as Good, those not reporting as Missing and those missing yet have a heartbeat as Heartbeat. That's what the case function is saying. I am actually surprised I am not getting expected results.

Re: Query for devices/servers not reporting to Splunk

waJesu — Fri, 02 Jun 2023 10:46:44 GMT

Good morning. Any new thoughts as to why my results are showing "Missing" only even for devices/servers I know to be reporting? Anything to tweak the query somehow?

Re: Query for devices/servers not reporting to Splunk

waJesu — Fri, 02 Jun 2023 14:52:49 GMT

Good morning. Any new thoughts as to why my results are showing "Missing" only even for devices/servers I know to be reporting? Anything to tweak the query somehow?