topic Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors in Other Usage

How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Fri, 12 Mar 2021 02:16:05 GMT

I have used the following but not producing any results. Please check it for errors.

... | eval etime=strptime(time, "%d/%m/%Y"), sevenDaysAgo=relative_time(now(), "-7d")| where etime < sevenDaysAgo

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Fri, 12 Mar 2021 07:37:11 GMT

if you have a list of the hosts in your perimeter in a lookup (e.g. perimeter.csv with a column called host) to check you could use:

if instead you want to check the hosts of (e.g.) last month and find the ones that didn't send logs in the last seven days, you could run something like this:

| metasearch index=_internal earliest=-30d@d latest=now | eval check=if(now()-_time<604800,"last Week","Previous weeks") | stats dc(check) AS dc_check values(check) AS check BY host | where dc_check=1 AND check="Previous weeks"

Ciao.

Giuseppe

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Fri, 12 Mar 2021 17:45:36 GMT

Please show me how to look up hosts that have not reported since yesterday for example.

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Fri, 12 Mar 2021 17:52:20 GMT

Hi @SamHTexas,

you could use my search adding the outputlookup command at the end (https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Outputlookup).

But remember that you have to create the Lookup and the Lookup Definition before to run the outputlookup command.

But my hint is diferent: run a search to list all the servers in your infrastructure and put them in a lookup, so you can use this list to check your infrastructure.

Ciao.

Giuseppe

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Fri, 12 Mar 2021 19:25:07 GMT

Gracia. Would this tell me the list of hosts ONLY that have not reported in?

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Sat, 13 Mar 2021 06:47:50 GMT

Hi @SamHTexas,

as I said if you use the "where" condition in the searches of my previous answer you have only the ones that reported before but not in the last week.

Ciao.

Giuseppe

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Sat, 13 Mar 2021 20:32:11 GMT

Thank u for being patient with my learning. Do both of your conditions require a lookup file or only the fist one does? Thanks again

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Sun, 14 Mar 2021 07:09:37 GMT

Hi @SamHTexas,

don't worry, no problem!

Anyway, only the first requires a perimeter lookup.

The first condition has the problem that requires the perimeter lookup to manually maintain, but gives you more control on your perimeter.

The second is easiest to maintain (doesn't requires any intervene), but it has the problem that if you have hosts that didn't send logs in the last month you loose them, at the same time if you dismiss an host, you continue to have alerts for a month.

For these reasons I prefer and usually use the first solution, you eventually could use the first maintaing it using the second.

Ciao and happy splunking.

Giuseppe

P.S.: if this answer solves your need, please accept it for the other people of Community and Karma Points are appreciated 😉

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Mon, 15 Mar 2021 14:55:02 GMT

Thank u very much again. I don't have a lookup table for this purpose. But non of these 2 searches produce any results for me at all. Any idea please?

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Mon, 15 Mar 2021 15:00:10 GMT

Hi @SamHTexas,

the first part of the first search gives you a list of all hosts that reported that you can insert in a lookup using output lookup, in few words you have to:

create a lookup (called e.g. perimeter with a column called host);
create a Lookup definition (called e.g. perimeter);
| run the following search:

| metasearch index=_internal | eval host=lower(host) | stats count BY host | outputlookup perimeter

Ciao.

Giuseppe

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Mon, 15 Mar 2021 15:13:13 GMT

One more question please. So I have to have a look up table either way? My problem is that we have a 100 thousand servers !! Is there a SPL query that does not require an outlook table? Thx again

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Mon, 15 Mar 2021 15:19:15 GMT

Hi @SamHTexas,

in this case you can use my second answer that doesn't requires a lookup.

Ciao.

Giuseppe

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Mon, 15 Mar 2021 15:24:33 GMT

Let me test it out. Bro, I owe you a nice dinner in Rome when I visit there next time. I live in TX but my sister lives in Ticcino in Switzerland. Have a nice day.

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Mon, 15 Mar 2021 15:29:08 GMT

Hi @SamHTexas,

with great pleasure!

Ciao and happy splunking.

Giuseppe

P.S.: please accept the answer for the other people of Community and Karma Points are appreciated 😉

How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Mon, 15 Mar 2021 16:37:53 GMT

I check the following in our system

| metasearch index=_internal earliest=-30d@d latest=now
| eval check=if(now()-_time<604800,"last Week","Previous weeks")
| stats dc(check) AS dc_check values(check) AS check BY host
| where dc_check=1 AND check="Previous weeks"

It checks & checks for a long time for events. What I need to do is to get ONLY the names of hosts that HAVE NOT reported in. Please advise & thank you once again

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

gcusello — Mon, 15 Mar 2021 16:46:32 GMT

Hi @SamHTexas,

with this search you have all the hosts in a lookup:

| metasearch index=_internal | eval host=lower(host) | stats count BY host | outputlookup perimeter

if you want the ones that doesn't reported in the last week:

Ciao.

Giuseppe

Re: How to prepare a list of hosts that have not reported in for few days - Please check my SPL listed for errors

SamHTexas — Tue, 04 Jan 2022 23:10:45 GMT

Happy 2022 Bro. Just noticed that I did not give you credit for your help then. So I just did. Thank u for all your help in 2021. Stay safe.