Deployment Architecture

Get list of servers not sending logs

walia_sapient
Engager

i want to get list of servers from the csv which are not sending any logs to splunk like for past 48 hours with time when it stopped ingesting. i am trying below query but no success.

| metadata type=hosts index=*
| where lastTime < relative_time(now(),"-24h") AND totalCount > 0
| convert ctime(lastTime) as "Time when stopped" ctime(firstTime) as "Time when Started"
| table host "Time when stopped"
| search
[| inputlookup xyz.csv |fields hostname] | table host "Time when stopped"

0 Karma

Luthufudheen
Loves-to-Learn

Please refer below to get list of host which are not sending logs without using a lookup.

https://www.splunk.com/en_us/blog/tips-and-tricks/how-to-determine-when-a-host-stops-sending-logs-to...

0 Karma

sanjeev543
Communicator

Please try below query

| tstats latest(_time) as l earliest(_time) as e where index=*
[| inputlookup x.csv
| rename hostname as host
| table host] by host
| eval diff=now()-l
| eval diff_in_days = round(diff/86400,2)
| convert ctime(l) as lasttime ctime(e) as first
| where diff_in_days>1

0 Karma

walia_sapient
Engager

shows error in the query

0 Karma

sanjeev543
Communicator

@walia_sapient Could you please give the error message ?

0 Karma

walia_sapient
Engager

okay there was a extra dot in the query mistakenly , errors removed but the query is not returning any results though there are few servers from csv which are not sending logs

0 Karma

sanjeev543
Communicator

For me it did work, however there is otherway

| tstats latest(_time) as l earliest(_time) as e where index=* host IN (x,y,z,a,.......) by host | eval diff=now()-l | eval diff_in_days = round(diff/86400,2) | convert ctime(l) as lasttime ctime(e) as first | where diff_in_days>1

place the host names from your CSV the above query for host IN by separating them with ,

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

List the hosts who have not sent any data in last 48 hours.

| tstats count WHERE index=* earliest=-48h [| inputlookup xyz.csv |table hostname | rename hostname as host ] by host 
| append  [| inputlookup xyz.csv |table hostname | rename hostname as host | eval count=0 ] 
| stats max(count) as count by host | where count=0 
0 Karma

walia_sapient
Engager

It didn't work giving false results

0 Karma

gaurav_maniar
Builder

Hi,

If your are just looking for sever list, below query will do the work, (select time range for 48 hours)

| metadata type=hosts index=*
| lookup xyz.csv hostname as host OUTPUTNEW other_field as other_field
| where isnull(other_field)
| table host

other_field - select any field from the lookup

happy splunking .....!!!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...