https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499656#M139147 <PRE><CODE> sourcetype=openPorts host=*511100471375* | stats values(Port) as Port by host | where isnull(mvfind(Port,2000)) </CODE></PRE> <P>This query displays a list of open ports on the host and excludes those that contain port 2000.</P> Mon, 02 Dec 2019 13:31:11 GMT to4kawa 2019-12-02T13:31:11Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499651#M139142 <P>Hi all,</P> <P>My question is focused on open ports but the condition applies to a wide range of scenarios. My question is the following:</P> <P>I need to create alerts for specific ports when they are not open, and my query looks like this</P> <PRE><CODE>sourcetype=openPorts Port=2000 | search host=*foo* </CODE></PRE> <P>This checks all the hosts with "foo" in their name for open port 2000. My question is, how do I define a search that returns the hosts that do NOT have the specified port open. When I try to amend the query with eith using "NOT" or "!=" I get all port values that are not 2000. How do I get the results that do not have that value at all?</P> Mon, 02 Dec 2019 09:30:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499651#M139142 galindimitrov 2019-12-02T09:30:21Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499652#M139143 <PRE><CODE>sourcetype=openPorts Port IN (80,8080,10080,...) host=*foo* </CODE></PRE> <P>Hi, @galindimitrov<BR /> I think you can use <CODE>IN</CODE></P> Mon, 02 Dec 2019 11:48:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499652#M139143 to4kawa 2019-12-02T11:48:20Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499653#M139144 <P>@to4kawa, <BR /> It looks good on a first glance, but in my case I do not believe it is very applicable. For example host X may have the needed port open and it will show in the query, after some time something happens and the port is closed now. Using IN lets me filter by a range, but what I need is to know which host does not have the value in the query, like in the above example port 2000. But if I just look for results in a range then, I will potentially get hosts that also have the port open even though it may not be specified in the query, </P> Mon, 02 Dec 2019 12:39:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499653#M139144 galindimitrov 2019-12-02T12:39:17Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499654#M139145 <P>Give examples of host and port status and indicate when you want results.</P> <PRE><CODE>sourcetype=openPorts NOT Port IN (80,8080,10080,...) host=*foo* </CODE></PRE> <P>I think this is good.</P> Mon, 02 Dec 2019 12:54:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499654#M139145 to4kawa 2019-12-02T12:54:24Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499655#M139146 <PRE><CODE>sourcetype=openPorts Port IN (8076,9999,5555,8283,8284,8092,8093,9899) | search host=*511100471375* | table host Port </CODE></PRE> <P><A href="https://imgur.com/0qKvapm">https://imgur.com/0qKvapm</A><BR /> This query will return all the hosts with 511100471375 in their names with open ports corresponding to the range given in the IN operator. However that does not mean that port 2000 is not open on any of the hosts in the results. So if my query looks like </P> <PRE><CODE> sourcetype=openPorts Port IN 8076,9999,5555,8283,8284,8092,8093,9899,2000) | search host=*511100471375* | table host Port </CODE></PRE> <P>I will get the same results as the last query, with an additional entry for each host that has port 2000 open. What I am looking to achieve is to set an alarm to be triggered when a port is no longer open or is not present in the open ports on a given host and I need to see which hosts no longer have the port open. Lets say the logic I am looking for is </P> <PRE><CODE>sourcetype=openports return hosts that do not have Port=2000| table host Port </CODE></PRE> Mon, 02 Dec 2019 13:09:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499655#M139146 galindimitrov 2019-12-02T13:09:58Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499656#M139147 <PRE><CODE> sourcetype=openPorts host=*511100471375* | stats values(Port) as Port by host | where isnull(mvfind(Port,2000)) </CODE></PRE> <P>This query displays a list of open ports on the host and excludes those that contain port 2000.</P> Mon, 02 Dec 2019 13:31:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499656#M139147 to4kawa 2019-12-02T13:31:11Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499657#M139148 <P>Hi @galindimitrov,</P> <P>You can create a lookup which contains pattern matching hosts and you can use it in your query.</P> <P>sourcetype=openPorts Port=2000 | search host=<EM>foo</EM> NOT [| inputlookup lookup_filename.csv | fields host]</P> <P>If it helps you, please accept it as an answer.</P> <P>Regards,<BR /> Tejas</P> Mon, 02 Dec 2019 13:59:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499657#M139148 tbavarva 2019-12-02T13:59:15Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499658#M139149 <P>Correcting host matching pattern.</P> <P>sourcetype=openPorts Port=2000 | search host="<EM>foo</EM>" NOT [| inputlookup lookup_filename.csv | fields host]</P> <P>Regards,<BR /> Tejas</P> Mon, 02 Dec 2019 14:00:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499658#M139149 tbavarva 2019-12-02T14:00:59Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499659#M139150 <P>Thank you, I will test it out tomorrow and let you know <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 02 Dec 2019 15:24:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499659#M139150 galindimitrov 2019-12-02T15:24:02Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499660#M139151 <P>I will check tomorrow and let you know, thanks in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 02 Dec 2019 15:24:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499660#M139151 galindimitrov 2019-12-02T15:24:30Z https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499661#M139152 <P>Why is this not sufficient?</P> <PRE><CODE>index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="openPorts" | stats count(eval(Port="2000")) AS port2000 BY host | where port2000=="0" </CODE></PRE> Mon, 02 Dec 2019 21:18:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-a-host-which-is-missing-a-specific-value/m-p/499661#M139152 woodcock 2019-12-02T21:18:47Z