https://community.splunk.com/t5/Splunk-Search/Query-missing-on-each-host/m-p/683775#M233456 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222294">@CarolinaHB</a>,</P><P>there are two solutions that depend on the&nbsp; location of the monitoring perimeter:</P><P>if you have a lookup containing the list of each app that should be present in each host (called e.g. app_perimeter.csv and containing at least two fields: host and application), you could run something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | stats count BY host application | append [ | inputlookup app_perimeter.csv | eval count=0 | fields host application count ] | stats sum(count) AS total BY host application | eval status=if(total=0,"Missing","Present") | table host application status</LI-CODE><P>If instead you don't have this lookup and you want to compare results e.g. of the last 24 hours with the results of the last 30 days, you could run something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; earliest=30d latest=now | eval period=if(_time&gt;now()-86400,"Last day","Previous days") | stats dc(period) AS period_count values(period) AS period BY host application | eval status=if(period_count=1 AND period="Previous days","Missing","Present") | table host application status</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Wed, 10 Apr 2024 05:40:31 GMT gcusello 2024-04-10T05:40:31Z https://community.splunk.com/t5/Splunk-Search/Query-missing-on-each-host/m-p/683773#M233455 <P class="lia-indent-padding-left-30px">Good Morning,&nbsp;</P><P><SPAN>I'm working in a query to see which application is missing on each <STRONG>host.</STRONG>&nbsp;</SPAN></P><P>Can you help me, please?</P><P>For example</P><P><EM>Host&nbsp; &nbsp; &nbsp;application</EM></P><P><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Guardicore</EM></P><P><EM>&nbsp;Host1 cortex</EM></P><P><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Tenable</EM></P><P><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Trend Micro</EM></P><P><EM>Host2 cortex</EM></P><P><EM>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Tenable</EM></P><P><EM>I need, it to show me what is missing</EM></P><UL><LI><EM>In its example Guardicore y tenable</EM></LI></UL><P>&nbsp;</P><P>Regardes</P> Wed, 10 Apr 2024 04:08:07 GMT https://community.splunk.com/t5/Splunk-Search/Query-missing-on-each-host/m-p/683773#M233455 CarolinaHB 2024-04-10T04:08:07Z https://community.splunk.com/t5/Splunk-Search/Query-missing-on-each-host/m-p/683775#M233456 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/222294">@CarolinaHB</a>,</P><P>there are two solutions that depend on the&nbsp; location of the monitoring perimeter:</P><P>if you have a lookup containing the list of each app that should be present in each host (called e.g. app_perimeter.csv and containing at least two fields: host and application), you could run something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | stats count BY host application | append [ | inputlookup app_perimeter.csv | eval count=0 | fields host application count ] | stats sum(count) AS total BY host application | eval status=if(total=0,"Missing","Present") | table host application status</LI-CODE><P>If instead you don't have this lookup and you want to compare results e.g. of the last 24 hours with the results of the last 30 days, you could run something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; earliest=30d latest=now | eval period=if(_time&gt;now()-86400,"Last day","Previous days") | stats dc(period) AS period_count values(period) AS period BY host application | eval status=if(period_count=1 AND period="Previous days","Missing","Present") | table host application status</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Wed, 10 Apr 2024 05:40:31 GMT https://community.splunk.com/t5/Splunk-Search/Query-missing-on-each-host/m-p/683775#M233456 gcusello 2024-04-10T05:40:31Z