https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670524#M229848 <P>In splunk terminolgy it's not called "query" but "search".</P><P>Anyway, it's a common question how to "find" something that's not there.</P><P>See <A href="https://www.duanewaddle.com/proving-a-negative/" target="_blank">https://www.duanewaddle.com/proving-a-negative/</A></P> Sat, 02 Dec 2023 11:44:34 GMT PickleRick 2023-12-02T11:44:34Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670523#M229847 <P>Hey All,&nbsp;</P><P><SPAN>I’m a splunk beginner I'm looking to create a query that to be used</SPAN>&nbsp; <SPAN>as an alert, specifically to identify servers not in the&nbsp;</SPAN>_<SPAN>inventory – those not being monitored by Splunk. If anyone could share insights, examples</SPAN></P><P><SPAN>Thank You</SPAN></P> Sat, 02 Dec 2023 11:47:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670523#M229847 Muthu_Vinith 2023-12-02T11:47:59Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670524#M229848 <P>In splunk terminolgy it's not called "query" but "search".</P><P>Anyway, it's a common question how to "find" something that's not there.</P><P>See <A href="https://www.duanewaddle.com/proving-a-negative/" target="_blank">https://www.duanewaddle.com/proving-a-negative/</A></P> Sat, 02 Dec 2023 11:44:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670524#M229848 PickleRick 2023-12-02T11:44:34Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670525#M229849 <P>Splunk is not good at finding things that aren't there - essentially, you would have to provide a list of all the servers you expect to find and discount all those that you do find, leaving you a list of servers which haven't been found.</P> Sat, 02 Dec 2023 11:44:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670525#M229849 ITWhisperer 2023-12-02T11:44:48Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670607#M229874 <P><SPAN>I’ve a scenario where I want to compare of events from </SPAN>index=abc host=_inventory<SPAN> and &nbsp;data from a lookup file that includes fields such as </SPAN>host<SPAN>, </SPAN>location<SPAN>, </SPAN>os<SPAN>, etc. The end goal is to point out servers that aren't being reported by Splunk. The structure of my Splunk events includes fields like </SPAN>location<SPAN>, </SPAN>tier<SPAN>, </SPAN>servers<SPAN>, and </SPAN>splunk_server<SPAN>. In the lookup file, I have fields like </SPAN>host<SPAN>, </SPAN>location<SPAN>, </SPAN>os<SPAN>, and more</SPAN></P><P><SPAN>I combined two data’s and what is the search condition to find out how servers are being monitored&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231884">@PickleRick</a>&nbsp;</SPAN></P> Mon, 04 Dec 2023 09:34:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670607#M229874 Muthu_Vinith 2023-12-04T09:34:46Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670612#M229875 <LI-CODE lang="markup">index=abc | stats count by host | inputlookup append=t yourlookup | fillnull count | stats sum(count) as count by host | where count=0</LI-CODE> Mon, 04 Dec 2023 10:13:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670612#M229875 ITWhisperer 2023-12-04T10:13:21Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670626#M229883 <P>This search will give results of servers that is not being reported Correct?&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Mon, 04 Dec 2023 11:49:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670626#M229883 Muthu_Vinith 2023-12-04T11:49:38Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670630#M229884 <P>That's the idea - try it and see</P> Mon, 04 Dec 2023 12:05:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670630#M229884 ITWhisperer 2023-12-04T12:05:42Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670634#M229885 <P>Okay Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Mon, 04 Dec 2023 12:23:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670634#M229885 Muthu_Vinith 2023-12-04T12:23:07Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670749#M229909 <P>I tired this method but it's giving me servers that is&nbsp; monitored&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Tue, 05 Dec 2023 04:01:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670749#M229909 Muthu_Vinith 2023-12-05T04:01:25Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670797#M229918 <P>This sounds like a data issue - you should check which hosts are coming up as not being monitored and see why they are not showing up in your index.</P> Tue, 05 Dec 2023 11:39:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670797#M229918 ITWhisperer 2023-12-05T11:39:55Z https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670892#M229948 <P>Sure&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P> Tue, 05 Dec 2023 17:47:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-non-monitored-hosts/m-p/670892#M229948 Muthu_Vinith 2023-12-05T17:47:26Z