How can I compare what host am i missing?

mmcarty · ‎02-23-2018

I have an input lookup called servers.csv (header is called host)
that lookup has all the servers that should be reporting into my sourcetype called: index=main sourcetype=servers
i see the host using: index=main sourcetype=servers host=server1
I need to have a report of what hosts from that CSV are not reporting into my sourcetype.

thank you very much for helping me.

somesoni2 · ‎02-23-2018

Try this. This will give list of hosts from your lookup which do not have any event in index=main sourcetype=servers for your selected time range of the query.

| tstats count WHERE index=main sourcetype=servers by host | eval isReporting=1 
| append [| inputlookup servers.csv | table host | eval isReporting=0]
| stats max(isReporting) as isReporting by host | where isReporting=0

mmcarty · ‎02-23-2018

Hello
First of all thank you very much for your reply.
i got 0 results :(, i copied and pasted but got no results.

somesoni2 · ‎02-23-2018

Do you get results when you run this?

| tstats count WHERE index=main sourcetype=servers by host | eval isReporting=1

mmcarty · ‎02-23-2018

Yes! first and second line give me results, when i do thrid line i got 0 no events.
thank you very much!

somesoni2 · ‎02-23-2018

Try running everything except the | where... part. It should return results. Then see in the results if you see any row with field isReporting as 0. If they're all 1 means all the servers are reporting. Also, what time range you're using for your search?

How can I compare what host am i missing?

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)