Archive

Help with host not reporting search

Explorer

Looking for assistance with a search -

| metadata type=hosts | rename lastTime as "Last Event"| search host=**** | fieldformat "Last Event"=strftime('Last Event', "%c") | table host "Last Event" | rename host as Host

This search currently provides host and last reported event. I'm hoping to add one more column that essentially gives me a "Host Reporting" or "Host Not Reporting" based on last event time. "If "Last Event" is >10 minutes, show as "Host Not Reporting"

Any help would be appreciated.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

General guidelines - 1) eliminate records as early as possible 2) calculations that matter before reformats and renames 3) renames that make the names clumsy to program as LATE as possible.

| metadata type=hosts | search host=* 
| eval HostStatus=if(lastTime<relative_time(now(),"-10m"),"Not Reporting","Reporting") 
| fieldformat lastTime=strftime(lastTime, "%c") 
| rename host as Host, lastTime as "Last Event" 
| table Host "Last Event" HostStatus

Final note = %c format is REALLY clumsy to read or to scan down. Try this instead...

| eval "Last Event"=strftime(lastTime, "%Y-%m-%d %H:%M:%S.%3Q").case(relative_time(lastTime,"@d")=relative_time(now(),"@d")," ... (today)",
    relative_time(lastTime,"@d")>=relative_time(now(),"-1d@d")," ... (yesterday)",
    relative_time(lastTime,"@d")>=relative_time(now(),"-6d@d")," ... (last ".strftime(lastTime, "%A").")",
    relative_time(lastTime,"@d")>=relative_time(now(),"-70d@d")," ... (".round((now()-lastTime)/86400/7)." weeks ago)",
    true()," ... long ago")

View solution in original post

SplunkTrust
SplunkTrust

General guidelines - 1) eliminate records as early as possible 2) calculations that matter before reformats and renames 3) renames that make the names clumsy to program as LATE as possible.

| metadata type=hosts | search host=* 
| eval HostStatus=if(lastTime<relative_time(now(),"-10m"),"Not Reporting","Reporting") 
| fieldformat lastTime=strftime(lastTime, "%c") 
| rename host as Host, lastTime as "Last Event" 
| table Host "Last Event" HostStatus

Final note = %c format is REALLY clumsy to read or to scan down. Try this instead...

| eval "Last Event"=strftime(lastTime, "%Y-%m-%d %H:%M:%S.%3Q").case(relative_time(lastTime,"@d")=relative_time(now(),"@d")," ... (today)",
    relative_time(lastTime,"@d")>=relative_time(now(),"-1d@d")," ... (yesterday)",
    relative_time(lastTime,"@d")>=relative_time(now(),"-6d@d")," ... (last ".strftime(lastTime, "%A").")",
    relative_time(lastTime,"@d")>=relative_time(now(),"-70d@d")," ... (".round((now()-lastTime)/86400/7)." weeks ago)",
    true()," ... long ago")

View solution in original post

SplunkTrust
SplunkTrust

up vote for detailed answer,
@SMWickman be careful when using the metadata command as its not always accurate.
read this answer for detailed explanation:
https://answers.splunk.com/answers/294791/accuracy-of-metadata-command-in-large-environments.html

Explorer

Thank you! Appreciate the detailed response!