topic Re: Search to find hosts sending syslog AND splunkd traffic in Installation https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9889#M53 <P>what about this?</P> <P>[search sourcetype=splunkd | dedup host | fields + host] sourcetype=syslog</P> <P>subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes.</P> Mon, 05 Apr 2010 23:41:14 GMT rayfoo 2010-04-05T23:41:14Z Search to find hosts sending syslog AND splunkd traffic https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9887#M51 <P>Any idea how to create a search that finds hosts that are sending BOTH syslog and splunkd traffic? We'd like to turn off syslog for these hosts.</P> Thu, 25 Feb 2010 06:00:04 GMT https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9887#M51 oreoshake 2010-02-25T06:00:04Z Re: Search to find hosts sending syslog AND splunkd traffic https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9888#M52 <P>What always springs to <EM>my</EM> mind for this kind of goal is:</P> <OL> <LI>run a search that gives the list of hosts sending syslog</LI> <LI>run a search that gives the list of hosts sendind splunkd</LI> <LI>compare the two lists</LI> </OL> <P>3 is a bit clumsy. You can do it with the set command, but it is the clumsy part.</P> <P>The Search &amp; Indexing team is much more fond of a declarative sql-like style, and may have a more clever variation.</P> <P>There's always the simplistic approach:</P> <P>For the last 24 hours:</P> <P>sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype</P> <P>Then review the data manually</P> <P>If you wanted to get very fancy you could filter with something like:</P> <P>sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype | transaction host | search linecount=2</P> Thu, 11 Mar 2010 16:53:54 GMT https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9888#M52 jrodman 2010-03-11T16:53:54Z Re: Search to find hosts sending syslog AND splunkd traffic https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9889#M53 <P>what about this?</P> <P>[search sourcetype=splunkd | dedup host | fields + host] sourcetype=syslog</P> <P>subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes.</P> Mon, 05 Apr 2010 23:41:14 GMT https://community.splunk.com/t5/Installation/Search-to-find-hosts-sending-syslog-AND-splunkd-traffic/m-p/9889#M53 rayfoo 2010-04-05T23:41:14Z