https://community.splunk.com/t5/Splunk-Search/Find-hosts-which-are-not-reporting-by-both-hostname-or-IP/m-p/388281#M113215 <P>Hello All</P> <P>I originally asked a similar question</P> <P><A href="https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html">https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html</A></P> <P>It did seem to work but, it now seems not to be working. So here is what I am doing.</P> <UL> <LI>Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks</LI> <LI>I take results from Qualys scan and place into a lookup file called dmzhosts.csv</LI> <LI>I then take the dmzhosts.csv and run a search for hostname or IP address against index=<EM>. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search: `index=</EM> [ inputlookup dmzhosts.csv | table IP | rename IP AS host | format] OR [ inputlookup dmzhosts.csv | table hostname | rename hostname AS host | format] | eval host=upper(host) | stats count by host | append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count] | stats sum(count) AS Total by host | where Total=0 | outputlookup missingdmzhosts.csv`</LI> </UL> <P>The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.</P> <P>any help would be appreciated.</P> <P>thanks<BR /> ed</P> Mon, 19 Nov 2018 17:26:39 GMT edwardrose 2018-11-19T17:26:39Z https://community.splunk.com/t5/Splunk-Search/Find-hosts-which-are-not-reporting-by-both-hostname-or-IP/m-p/388281#M113215 <P>Hello All</P> <P>I originally asked a similar question</P> <P><A href="https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html">https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html</A></P> <P>It did seem to work but, it now seems not to be working. So here is what I am doing.</P> <UL> <LI>Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks</LI> <LI>I take results from Qualys scan and place into a lookup file called dmzhosts.csv</LI> <LI>I then take the dmzhosts.csv and run a search for hostname or IP address against index=<EM>. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search: `index=</EM> [ inputlookup dmzhosts.csv | table IP | rename IP AS host | format] OR [ inputlookup dmzhosts.csv | table hostname | rename hostname AS host | format] | eval host=upper(host) | stats count by host | append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count] | stats sum(count) AS Total by host | where Total=0 | outputlookup missingdmzhosts.csv`</LI> </UL> <P>The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.</P> <P>any help would be appreciated.</P> <P>thanks<BR /> ed</P> Mon, 19 Nov 2018 17:26:39 GMT https://community.splunk.com/t5/Splunk-Search/Find-hosts-which-are-not-reporting-by-both-hostname-or-IP/m-p/388281#M113215 edwardrose 2018-11-19T17:26:39Z