How to get only active hosts?

Stephcg — Sat, 21 Jan 2023 00:24:59 GMT

I have an application that have some instances/hosts. Because of change of throughput or instability new instances/hosts can be initiated and old can be terminated.
There are many different events/logs being registered.

When a new instance/host is initiated it shows the following event/log:

1/20/23
6:00:01.256 PM

[app=gateway-example-app, traceId=, spanId=, INFO 1 [ main] gateway.GatewayApplicationKt : Started GatewayApplicationKt in 21.081 seconds (JVM running for 48.641)

host = ip-example-of-ip-01
source = http:source-example
sourcetype = example-sourcetype

When an instance is terminated, it shows the following log:

1/20/23
3:53:42.778 PM

CoreServiceImpl INFO: JVM is shutting down

host = ip-example-of-ip-02
source = http:source-example
sourcetype = example-sourcetype

Is there a way of getting a list of hosts that have the log of initialization, but don't have the log of termination?
In other words, a list of currently active hosts?

Thank you for any help in advance. And sorry if I wrote anything wrong, english is not my main language.

Re: How to get only active hosts?

scelikok — Sat, 21 Jan 2023 02:21:53 GMT

Hi @Stephcg,

There are other ways but the below should work for your case;

index=application source=http:source-example sourcetype=example-sourcetype ("is shutting down" OR "Started") | dedup host | search "Started" | table _time host

Re: How to get only active hosts?

Stephcg — Sat, 21 Jan 2023 20:19:07 GMT

That worked perfectly! Thank you so much for the help!

topic Re: How to get only active hosts? in Splunk Search

How to get only active hosts?

Re: How to get only active hosts?

Re: How to get only active hosts?