https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396992#M174456 <P>This worked out thanks again. Greatly appreciated.</P> Wed, 21 Nov 2018 02:36:39 GMT jj39501 2018-11-21T02:36:39Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396987#M174451 <P>Hello All,</P> <P>I am relatively new to Splunk and need some help on this search query. I have hosts that are required to check in periodically to an external source. However, I want to know what host have failed to do so in, lets say, the last 24 hours. Here is what I have so far.</P> <PRE><CODE>sourcetype="web" src_requires_av=true dest=requiredsite.com | table src_ip, src_nt_host, src_mac src_bunit | dedup src_ip, src_mac </CODE></PRE> <P>This outputs all devices that have successfully checked in, but I want the output to be for devices that have <STRONG><EM>not checked in</EM></STRONG>.</P> Tue, 20 Nov 2018 04:41:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396987#M174451 jj39501 2018-11-20T04:41:56Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396988#M174452 <P>Make a list of hosts that should check in and compare the list with your search results, or search over more than 24 hours and filter for hosts that have checked in but their latest check-in is older than 24 hours. Examples:</P> <PRE><CODE>sourcetype="web" src_requires_av=true dest=requiredsite.com earliest=-48h latest=now | dedup src_ip, src_mac | table _time src_ip, src_nt_host, src_mac src_bunit | where _time &lt; relative_time(now(), "-24h") sourcetype="web" src_requires_av=true dest=requiredsite.com earliest=-24h latest=now | dedup src_ip, src_mac | table _time src_ip, src_nt_host, src_mac src_bunit | inputlookup append=t hosts_that_should_check_in | stats latest(_time) as latest_time by src_ip, src_nt_host, src_mac src_bunit | where isnull(latest_time) </CODE></PRE> <P>Note, I've swapped dedup and table for significantly better performance in a distributed search environment. This way indexers can dedup before sending the table back to the search head.<BR /> The list in my example would need to contain src_ip, src_nt_host, src_mac src_bunit.</P> Tue, 29 Sep 2020 22:05:32 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396988#M174452 martin_mueller 2020-09-29T22:05:32Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396989#M174453 <P>Martin,</P> <P>Thank you for the prompt feedback. I will give this a shot and let you know how it goes. </P> Tue, 20 Nov 2018 21:36:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396989#M174453 jj39501 2018-11-20T21:36:57Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396990#M174454 <P>hi @jj39501 </P> <P>Did this answer solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!</P> Tue, 20 Nov 2018 23:09:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396990#M174454 mstjohn_splunk 2018-11-20T23:09:58Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396991#M174455 <P>Run this search for at least <CODE>Last 24-hours</CODE>:</P> <PRE><CODE>| tstats max(_indextime) AS lastSentTime WHERE index=* OR index=_* BY host sourcetype | eval silentTime = now() - lastSentTime | eval silentForTwelveHours = if(silentTime &gt; (12 * 60 * 60), "***YES***", "no") | eval silentTime = tostring(silentTime, "duration") | eventstats max(lastSentTime) AS lastSentTimeHost count(eval(silentForTwelveHours=="***YES***")) AS silent BY host | where silent&gt;0 | stats list(sourcetype) list(lastSentTime) list(silentTime) list(silentForTwelveHours) first(lastSentTimeHost) BY host </CODE></PRE> <P>There are MANY ways to crack this nut. Also, be aware that this is the <CODE>Sentinel Search</CODE> problem discussed (with solution) here:</P> <P><A href="https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf">https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf</A></P> Tue, 20 Nov 2018 23:54:52 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396991#M174455 woodcock 2018-11-20T23:54:52Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396992#M174456 <P>This worked out thanks again. Greatly appreciated.</P> Wed, 21 Nov 2018 02:36:39 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396992#M174456 jj39501 2018-11-21T02:36:39Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396993#M174457 <P>Woodcock,</P> <P>Thanks for you help as well. I will keep this in mind if variables in my environment change.</P> Wed, 21 Nov 2018 02:37:40 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396993#M174457 jj39501 2018-11-21T02:37:40Z https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396994#M174458 <P>Posters cannot accept more than on answer but anything can get <CODE>UpVoted</CODE>...</P> Wed, 21 Nov 2018 02:51:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-make-a-search-that-returns-hosts-that-haven-t-checked/m-p/396994#M174458 woodcock 2018-11-21T02:51:11Z