topic Re: Splunk query to get total number services count based on host in Splunk Search

How search total number services count based on host?

sekhar463 — Wed, 26 Oct 2022 14:42:23 GMT

hai all,

i am checking about list of services down based on a host using below search

index=ivz_unix* Service source="Unix:Service" status=stopped

what was the search query use to check list of services down for a host based on host name.

for example i want to see for a host these services are in stopped state.

please help

Re: Splunk query to get total number services count based on host

ITWhisperer — Wed, 26 Oct 2022 13:23:59 GMT

It depends what events you have in your index (which you haven't shared).

Having said that, perhaps you want the latest status of the services on each host and count the number in the stopped state?

index=ivz_unix* Service source="Unix:Service" | stats latest(status) as status by host Service | where status="stopped" | stats count by host

Re: Splunk query to get total number services count based on host

sekhar463 — Wed, 26 Oct 2022 13:47:09 GMT

i am not getting anything while checking with this

actually i want create a view as to check list of services in stopped state based on hostname

Re: Splunk query to get total number services count based on host

ITWhisperer — Wed, 26 Oct 2022 14:22:02 GMT

Perhaps if you could share some of your events (anonymised of course) and which fields you already have extracted, we might be able to help you a bit more.

Re: Splunk query to get total number services count based on host

sekhar463 — Wed, 26 Oct 2022 14:38:29 GMT

hi events as for unix services data for source type Unix:Service"

2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-readahead-done.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Stop Read-Ahead Data Collection"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-readahead-collect.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Collect Read-Ahead Data"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-modules-load.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Load Kernel Modules"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-ask-password-plymouth.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Forward Password Requests to Plymouth"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rpc-statd-notify.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Notify NFS peers of a restart"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rhel-autorelabel.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Relabel all filesystems, if necessary"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rhel-autorelabel-mark.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Mark the need to relabel after reboot"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=pxp-agent.service, LOADED=not-found, ACTIVE=inactive, SUB=dead, DESCRIPTION="pxp-agent.service"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=plymouth-quit-wait.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Wait for Plymouth Boot Screen to Quit"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service

Re: Splunk query to get total number services count based on host

ITWhisperer — Wed, 26 Oct 2022 14:53:53 GMT

What fields do you already have extracted?

Which part of the event tells you what the service is?

Which part of the event tells you the status of the service?

Re: Splunk query to get total number services count based on host

sekhar463 — Wed, 26 Oct 2022 15:00:16 GMT

Already extracted the fields host , service name ,description and status

so i want to know how many services are down for a host.

Re: Splunk query to get total number services count based on host

ITWhisperer — Wed, 26 Oct 2022 15:05:06 GMT

Note that you will have to use the correct field names and values for your usecase and that the where command is case-sensitive

index=ivz_unix* Service source="Unix:Service" | stats latest(status) as status by host Service | where status="stopped" | stats count by host

Re: Splunk query to get total number services count based on host

sekhar463 — Wed, 26 Oct 2022 17:16:27 GMT

its giving 0 results

but while it has data,how we can filter to list only services for a host