https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620940#M215843 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>please try ths different search:</P><LI-CODE lang="markup">| metasearch index=linux [ | inputlookup linux_servers | table host ] earliest=-24h@h latest=now | eval host=lower(host) | stats count BY host | append [ | inputlookup linux_servers | eval host=lower(host), count=0 | table host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>Ciao.</P><P>Giuseppe</P> Tue, 15 Nov 2022 16:36:24 GMT gcusello 2022-11-15T16:36:24Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620907#M215833 <P>Hello,&nbsp; We have been using this query to list out hosts that are not sending logs since past 24h.&nbsp; It has been working well and for some unknown reason it has now suddenly stopped working.&nbsp; In the sense it does not show any results despite there r hosts that meet the condition.&nbsp; Can someone pls help to figure out why ?<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| tstats max(_time) as lastSeen_epoch WHERE index=linux [| inputlookup linux_servers | table host ] by host | where lastSeen_epoch&lt;relative_time(now(),"-24H") | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S") | fields host LastSeen</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR /><BR />Our lookupfile has 700 hosts .&nbsp; Now if i reverse the where condition (just for testing) as shown below ,<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup"> where lastSeen_epoch &gt; relative_time(now(),"-24H") </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR /><BR />it shows 694 results&nbsp; meaning there are 6 hosts (700-694)&nbsp; that are not logging.&nbsp; &nbsp;So why is the original query not display the 6 hosts ?&nbsp;&nbsp;<BR /><BR />Thanks<BR /><BR />&nbsp;</P> Wed, 16 Nov 2022 06:15:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620907#M215833 neerajs_81 2022-11-16T06:15:51Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620909#M215834 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>maybe it will be a stupid try, but adding equal to the condition?</P><LI-CODE lang="markup">| tstats max(_time) as lastSeen_epoch WHERE index=linux [| inputlookup linux_servers | table host ] by host | where lastSeen_epoch&lt;=relative_time(now(),"-24H") | eval LastSeen=strftime(lastSeen_epoch,"%m/%d/%y %H:%M:%S") | fields host LastSeen</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 15 Nov 2022 14:17:00 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620909#M215834 gcusello 2022-11-15T14:17:00Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620927#M215839 <P>That didn't work either.&nbsp; It shows 0 results. Thanks for responding.</P> Tue, 15 Nov 2022 16:01:03 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620927#M215839 neerajs_81 2022-11-15T16:01:03Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620940#M215843 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>please try ths different search:</P><LI-CODE lang="markup">| metasearch index=linux [ | inputlookup linux_servers | table host ] earliest=-24h@h latest=now | eval host=lower(host) | stats count BY host | append [ | inputlookup linux_servers | eval host=lower(host), count=0 | table host count ] | stats sum(count) AS total BY host | where total=0</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>Ciao.</P><P>Giuseppe</P> Tue, 15 Nov 2022 16:36:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620940#M215843 gcusello 2022-11-15T16:36:24Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620991#M215854 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp; That query worked.&nbsp; So how is it that this one is working while the earlier isn't&nbsp; ?&nbsp; Secondly can you pls clarify why are we appending the same lookup file again&nbsp; when we have already called the lookup file at the beginning&nbsp; ?&nbsp;&nbsp;<BR /><BR /><STRONG>| append [ | inputlookup linux_deployed_servers | eval host=lower(host), count=0 | table host count ]</STRONG></P> Wed, 16 Nov 2022 05:22:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/620991#M215854 neerajs_81 2022-11-16T05:22:59Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621003#M215861 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>the subsearch using the lookup at the beginning is only to limit the main search only to the servers of the lookup and avoid other results.</P><P>The real check is made after the append.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 16 Nov 2022 07:10:44 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621003#M215861 gcusello 2022-11-16T07:10:44Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621043#M215878 <P>Curious - any way to further optimize your search to also make it show&nbsp; LastSeenTime of those hosts ?&nbsp; Even if its in epoch i can convert it into human readable format&nbsp; .&nbsp; I tried the following way in your stats command but the lastSeen column comes out empty.</P><LI-CODE lang="markup">| stats sum(count) AS total max(_time) as lastTime BY host </LI-CODE><P>&nbsp;</P> Wed, 16 Nov 2022 12:31:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621043#M215878 neerajs_81 2022-11-16T12:31:10Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621046#M215880 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229059">@neerajs_81</a>,</P><P>it's correct: the algorithm of my search is that total is equal to zero only when there isn't any event in the main search, so you cannot have the LastSeen value.</P><P>Maybe this is the problem of your original search.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 16 Nov 2022 12:59:00 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621046#M215880 gcusello 2022-11-16T12:59:00Z https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621051#M215883 <P>Ahh. Didn't realize that. Thanks</P> Wed, 16 Nov 2022 13:18:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-search-for-hosts-not-sending-logs-and-no-longer-showing/m-p/621051#M215883 neerajs_81 2022-11-16T13:18:30Z