<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: finding systems from a CSV that are not reporting into Splunk in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392756#M70169</link>
    <description>&lt;P&gt;Try this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| tstats min(_time) AS firstTime max(_time) AS lastTime max(_indextime) AS recentTime count AS totalCount WHERE index=* BY host 
| lookup assets.csv "short_names" as host Output "asset_state" as Reason 
| where Reason == "In Use"
| eval diff = (now() - recentTime) / 86400 
| where diff &amp;gt; 3.0
| eval now = now() 
| sort 0 - diff 
| table host Reason diff recentTime firstTime
| foreach now *Time [ fieldformat &amp;lt;&amp;lt;FIELD&amp;gt;&amp;gt; = strftime(&amp;lt;&amp;lt;FIELD&amp;gt;&amp;gt;, "%Y-%m-%d %H:%M:%S") ]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Wed, 20 Feb 2019 22:55:43 GMT</pubDate>
    <dc:creator>woodcock</dc:creator>
    <dc:date>2019-02-20T22:55:43Z</dc:date>
    <item>
      <title>finding systems from a CSV that are not reporting into Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392754#M70167</link>
      <description>&lt;P&gt;I have a search that I am working on and running into problems.  &lt;/P&gt;

&lt;P&gt;Currently, I have a CSV generated that contains all of our hosts and their statuses on our network — in use, expired, disposed, etc.  I am trying to search on "in use" status and find the first/last time they reported into Splunk.  &lt;/P&gt;

&lt;P&gt;Well, I thought it was working great with the search I had, but there are systems showing up as not reporting in a number of days, yet host=foo yields results that are current.  Below is my search: &lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| metadata type=hosts 
| lookup assets.csv "short_names" as host Output "asset_state" as Reason 
| where Reason="In Use"
| dedup host firstTime recentTime lastTime
| eval diff= (now()-recentTime)/86400
| convert ctime(firstTime) timeformat="%Y-%m-%d %H:%M:%S"
| convert ctime(lastTime) timeformat="%Y-%m-%d %H:%M:%S"
| convert ctime(recentTime) timeformat="%Y-%m-%d %H:%M:%S"
| where diff &amp;gt; 3.0
| eval now= now()
| convert ctime(now) timeformat="%Y-%m-%d %H:%M:%S"
| sort - diff
| table host Reason diff recentTime firstTime
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 20 Feb 2019 18:11:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392754#M70167</guid>
      <dc:creator>jchapell</dc:creator>
      <dc:date>2019-02-20T18:11:37Z</dc:date>
    </item>
    <item>
      <title>Re: finding systems from a CSV that are not reporting into Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392755#M70168</link>
      <description>&lt;P&gt;Try &lt;CODE&gt;tstats&lt;/CODE&gt; instead of &lt;CODE&gt;metadata&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;| tstats earliest(_time) as firstTime, latest(_time) as lastTime where index=* by host&lt;BR /&gt;
| lookup assets.csv "short_names" as host Output "asset_state" as Reason &lt;BR /&gt;
| where Reason="In Use"&lt;BR /&gt;
| eval diff= (now()-lastTime)/86400&lt;BR /&gt;
| where diff &amp;gt; 3.0&lt;BR /&gt;
| eval now= now()&lt;BR /&gt;
| convert ctime(now) timeformat="%Y-%m-%d %H:%M:%S"&lt;BR /&gt;
| sort - diff&lt;BR /&gt;
| table host Reason diff lastTime firstTime&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 23:23:50 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392755#M70168</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2020-09-29T23:23:50Z</dc:date>
    </item>
    <item>
      <title>Re: finding systems from a CSV that are not reporting into Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392756#M70169</link>
      <description>&lt;P&gt;Try this:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;| tstats min(_time) AS firstTime max(_time) AS lastTime max(_indextime) AS recentTime count AS totalCount WHERE index=* BY host 
| lookup assets.csv "short_names" as host Output "asset_state" as Reason 
| where Reason == "In Use"
| eval diff = (now() - recentTime) / 86400 
| where diff &amp;gt; 3.0
| eval now = now() 
| sort 0 - diff 
| table host Reason diff recentTime firstTime
| foreach now *Time [ fieldformat &amp;lt;&amp;lt;FIELD&amp;gt;&amp;gt; = strftime(&amp;lt;&amp;lt;FIELD&amp;gt;&amp;gt;, "%Y-%m-%d %H:%M:%S") ]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 20 Feb 2019 22:55:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392756#M70169</guid>
      <dc:creator>woodcock</dc:creator>
      <dc:date>2019-02-20T22:55:43Z</dc:date>
    </item>
    <item>
      <title>Re: finding systems from a CSV that are not reporting into Splunk</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392757#M70170</link>
      <description>&lt;P&gt;I've tried both of these and get different results, but still pulling up systems that can be verified as having written events to splunk.  I know I can't be the only one trying to leverage our assets.csv to find hosts not writing events.&lt;/P&gt;</description>
      <pubDate>Mon, 04 Mar 2019 13:52:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/finding-systems-from-a-CSV-that-are-not-reporting-into-Splunk/m-p/392757#M70170</guid>
      <dc:creator>jchapell</dc:creator>
      <dc:date>2019-03-04T13:52:43Z</dc:date>
    </item>
  </channel>
</rss>

