Getting Data In

How can I compare what host am i missing?

mmcarty
New Member

I have an input lookup called servers.csv (header is called host)
that lookup has all the servers that should be reporting into my sourcetype called: index=main sourcetype=servers
i see the host using: index=main sourcetype=servers host=server1
I need to have a report of what hosts from that CSV are not reporting into my sourcetype.

thank you very much for helping me.

Tags (2)
0 Karma

somesoni2
Revered Legend

Try this. This will give list of hosts from your lookup which do not have any event in index=main sourcetype=servers for your selected time range of the query.

| tstats count WHERE index=main sourcetype=servers by host | eval isReporting=1 
| append [| inputlookup servers.csv | table host | eval isReporting=0]
| stats max(isReporting) as isReporting by host | where isReporting=0
0 Karma

mmcarty
New Member

Hello
First of all thank you very much for your reply.
i got 0 results :(, i copied and pasted but got no results.

0 Karma

somesoni2
Revered Legend

Do you get results when you run this?

| tstats count WHERE index=main sourcetype=servers by host | eval isReporting=1
0 Karma

mmcarty
New Member

Yes! first and second line give me results, when i do thrid line i got 0 no events.
thank you very much!

0 Karma

somesoni2
Revered Legend

Try running everything except the | where... part. It should return results. Then see in the results if you see any row with field isReporting as 0. If they're all 1 means all the servers are reporting. Also, what time range you're using for your search?

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...