topic Re: How find a service that is not running on a server in Splunk Search

.

Kksplunker — Wed, 21 Apr 2021 21:19:05 GMT

Re: How find a service that is not running on a server

gcusello — Tue, 20 Apr 2021 06:44:42 GMT

try something like this:

Ciao.

Giuseppe

Re: How find a service that is not running on a server

Kksplunker — Wed, 21 Apr 2021 21:21:45 GMT

Re: How find a service that is not running on a server

gcusello — Tue, 20 Apr 2021 12:56:09 GMT

Hi @Kksplunker,

ok, let me understand:

you have some servers with service="CB" and some others without this service,
you want the list of all servers without this service?

it's easier, did you tried this?

index="windows" State="*" NOT service="CB" | ...

Ciao.

Giuseppe

Re: How find a service that is not running on a server

Kksplunker — Wed, 21 Apr 2021 21:20:58 GMT

Re: How find a service that is not running on a server

gcusello — Tue, 20 Apr 2021 16:35:36 GMT

Hi @Kksplunker,

sorry but I don't understand your need:

if you want the servers, from your lookup, without the service CB, you can use my first answer,
if you want the servers, in all your infrastructure, without the service CB, you can use my second answer;

what's your need?

In my opinion you need the first, in which there are the list of all servers with service=CB active that are sending logs and there's the match with the list of all your server from the lookup:

total=0 means that you haven't servers with service=CB that are sending logs,
total>0 means that you have servers with service=CB that are sending logs,

if in your lookup you have more than Windows servers, you have to filter the lookup in the append.

Ciao.

Giuseppe