topic Re: How to get the latest host value which is sending logs by comparing 2 hosts? in Splunk Search

How to get the latest host value which is sending logs by comparing 2 hosts?

raj_mpl — Thu, 21 Jul 2022 14:36:52 GMT

Hi ,

I have search like below where the logs are coming from the fig1,fig4,fig5,fig6 indexes from either of the 2 hosts say host1 and host2. So at a time 2 hosts won't send logs and only any of the host will be sending the logs actively to fig1 index with source type as abc.

| tstats latest(_time) as latest_time WHERE (index = fig*) (NOT index IN (fig2,fig3,)) sourcetype="abc" by host index sourcetype | eval silent_in_hours=round(( now() - latest_time)/3600,2) | where silent_in_hours>20 | eval latest_time=strftime(latest_time, "%m/%d/%Y %H:%M:%S")

I want to build logic to display if any of the host1 or host2 is sending the logs then the above query should not give any o/p (should not display the silent host because we are getting the log from other host).

Thanks in advance

Re: How to get the latest host value which is sending logs by comparing 2 hosts

richgalloway — Thu, 21 Jul 2022 12:29:34 GMT

I don't understand the problem. If a host is silent and not sending events to Splunk then there will be nothing for Splunk to show in the output. Only reporting hosts will be displayed.

Re: How to get the latest host value which is sending logs by comparing 2 hosts

raj_mpl — Thu, 21 Jul 2022 12:50:13 GMT

Hi @richgalloway , If host1 is silent then as per the above logic it will show host1 is silent as per the where condition . That I should not get because host2 will be sending the logs . So we want a logic to check if any of the host is sending the log and anyone is sending the log then alert should not trigger.
Consider Logs will come interchangeably from host1 and host2 for every 15 days

Re: How to get the latest host value which is sending logs by comparing 2 hosts

richgalloway — Thu, 21 Jul 2022 14:12:32 GMT

So you want to trigger an alert if no host is sending events, correct? If so then define an alert that triggers if this search returns zero results;

| tstats latest(_time) as latest_time WHERE (index = fig*) (NOT index IN (fig2,fig3,)) sourcetype="abc" by host index sourcetype

Re: How to get the latest host value which is sending logs by comparing 2 hosts

raj_mpl — Thu, 21 Jul 2022 17:48:07 GMT

1) At any point of time one host will be active and sending the logs out of the 2 hosts. so silent hours condition will becomes always false (silent hours>20) as we are receiving the logs so alert should not trigger

2) if both hosts silents for more than 20 hours then condition becomes true then alert should trigger

Hope I am clear with requirement

Re: How to get the latest host value which is sending logs by comparing 2 hosts?

somesoni2 — Thu, 21 Jul 2022 20:09:39 GMT

Give this a try

| tstats latest(_time) as latest_time WHERE (index = fig*) (NOT index IN (fig2,fig3,)) sourcetype="abc" by host index sourcetype | eval silent_in_hours=round(( now() - latest_time)/3600,2) | where silent_in_hours>20 | stats dc(host) as silent_hosts max(latest_time) as latest_time by index source type | where silent_hosts=2 | eval latest_time=strftime(latest_time, "%m/%d/%Y %H:%M:%S")

Re: How to get the latest host value which is sending logs by comparing 2 hosts?

raj_mpl — Fri, 22 Jul 2022 08:37:17 GMT

Hi @somesoni2 , Thanks for your reply

I tried the spl that you gave but its condition Is always looking for the silent_hosts count is 2.

where silent_hosts=2

Which in turn its ignoring the single host which is silent for more than 20 hours ( logs are coming from single host only for other index and sourcetype combinations from past 1 month onwards continuously) So this feeds the below query is discarding .

I tried where silent_hosts>=1 then in this case its displaying the old stopped host1 . This should not display as we are getting the logs to same index and sourcetype from host2