topic Re: How can I compare what host am i missing? in Getting Data In

How can I compare what host am i missing?

mmcarty — Fri, 23 Feb 2018 19:58:51 GMT

I have an input lookup called servers.csv (header is called host)
that lookup has all the servers that should be reporting into my sourcetype called: index=main sourcetype=servers
i see the host using: index=main sourcetype=servers host=server1
I need to have a report of what hosts from that CSV are not reporting into my sourcetype.

thank you very much for helping me.

Re: How can I compare what host am i missing?

somesoni2 — Fri, 23 Feb 2018 20:11:30 GMT

Try this. This will give list of hosts from your lookup which do not have any event in index=main sourcetype=servers for your selected time range of the query.

| tstats count WHERE index=main sourcetype=servers by host | eval isReporting=1 
| append [| inputlookup servers.csv | table host | eval isReporting=0]
| stats max(isReporting) as isReporting by host | where isReporting=0

Re: How can I compare what host am i missing?

mmcarty — Fri, 23 Feb 2018 20:34:31 GMT

Hello
First of all thank you very much for your reply.
i got 0 results :(, i copied and pasted but got no results.

Re: How can I compare what host am i missing?

somesoni2 — Fri, 23 Feb 2018 20:45:20 GMT

Do you get results when you run this?

| tstats count WHERE index=main sourcetype=servers by host | eval isReporting=1

Re: How can I compare what host am i missing?

mmcarty — Fri, 23 Feb 2018 21:00:44 GMT

Yes! first and second line give me results, when i do thrid line i got 0 no events.
thank you very much!

Re: How can I compare what host am i missing?

somesoni2 — Fri, 23 Feb 2018 21:07:41 GMT

Try running everything except the | where... part. It should return results. Then see in the results if you see any row with field isReporting as 0. If they're all 1 means all the servers are reporting. Also, what time range you're using for your search?