https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388938#M69616 <P>Hi @skottska,<BR /> you have to create a lookup (called e.g. perimeter.csv, containing at least one field, host, and eventually other information that are useful for you, e.g. from a CMDB) and run something like this:</P> <PRE><CODE>| metasearch your_search | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter.csv | eval count=0, eval host=lower(host) | fields host ] | stats sum(count) AS total BY host | where total=0 </CODE></PRE> <P>It's better to have the search as main search and the lookup in the append because there's the limit of 50,000 results in subsearches and you can use the command <CODE>| metasearch</CODE> to speed your search.</P> <P>If you don't use the last row (<CODE>| where total=0</CODE>), you can have the status of you perimeter, that you can also display in graphic mode with icons.</P> <P>Ciao.<BR /> Giuseppe</P> Thu, 19 Dec 2019 08:13:46 GMT gcusello 2019-12-19T08:13:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388936#M69614 <P>Hi</P> <P>I have a query which finds hosts without logs for the whole search and it looks like this:</P> <UL> <LI>| inputlookup hosts.csv | search NOT [search index=prod ("successfully placed") | dedup host | table host]</LI> </UL> <P>What I would like to be able to do is to split this over _time so that I can search for say "over the last 24 hours, which minutes have no logs by host".</P> <P>I've tested with trying to squeeze in "bucket _time span=1m" but I can't figure out how to combine this with my host.csv lookup.</P> <P>Anyone got any tips?</P> Wed, 22 May 2019 08:50:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388936#M69614 skottska 2019-05-22T08:50:47Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388937#M69615 <P>This is what I wrote for my system, the asset file contains the short name as Host and an Environment Column. </P> <P>| inputlookup MyAssets.csv | append [search * | rex field=host "^(?\w*).?" | stats count by Host ] | fillnull value=0 count | stats values(Environment) as Environment, sum(count) as Events by Host | fillnull value="Unknown Asset Reporting" Environment</P> <P>Hosts with 0 events are not reporting, and Hosts with Unknown environments are unknown assets. </P> Wed, 18 Dec 2019 18:42:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388937#M69615 drodman29 2019-12-18T18:42:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388938#M69616 <P>Hi @skottska,<BR /> you have to create a lookup (called e.g. perimeter.csv, containing at least one field, host, and eventually other information that are useful for you, e.g. from a CMDB) and run something like this:</P> <PRE><CODE>| metasearch your_search | eval host=lower(host) | stats count BY host | append [ | inputlookup perimeter.csv | eval count=0, eval host=lower(host) | fields host ] | stats sum(count) AS total BY host | where total=0 </CODE></PRE> <P>It's better to have the search as main search and the lookup in the append because there's the limit of 50,000 results in subsearches and you can use the command <CODE>| metasearch</CODE> to speed your search.</P> <P>If you don't use the last row (<CODE>| where total=0</CODE>), you can have the status of you perimeter, that you can also display in graphic mode with icons.</P> <P>Ciao.<BR /> Giuseppe</P> Thu, 19 Dec 2019 08:13:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388938#M69616 gcusello 2019-12-19T08:13:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388939#M69617 <P>Like this:</P> <PRE><CODE>| tstats count WHERE index=* BY host _time span=1m | timechart limit=0 span=1m first(count) AS count BY host | fillnull value=0 | untable _time host count | where count=="0" </CODE></PRE> <P>I do not see any reason to filter, but if you do, then add this:</P> <PRE><CODE>| lookup hosts.csv host OUTPUT host AS found | where isnotnull(found) | fields - found </CODE></PRE> Fri, 20 Dec 2019 10:08:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-hosts-without-logs-by-time/m-p/388939#M69617 woodcock 2019-12-20T10:08:11Z