Getting Data In

How do you exclude dead machines off the Lost Forwarders search.

djfisher
Explorer

I use the recommended search below to find lost forwarders after a 24hr period.

http://www.splunk.com/wiki/Deploy:HowToFindLostForwarders

| metadata type=hosts | eval age = now() - lastTime | search age > 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime

I had read in the documentation that if you wanted to exclude a dead machine off this search you could tag the host and exclude that tag from the search. How do I apply that exclusion to the above search if I have tag::host (dead)?

Or can I insert a "search age < 4302000" also?

I could not add a NOT for a tag since just metadata host was used. I did however add the | search NOT age < 860000 to not list host down over two weeks, ( presumed dead to me ).

Thanks

Tags (2)
2 Solutions

Simeon
Splunk Employee
Splunk Employee

I am not certain this will work, but you can try adding it to the end of your search:

... | search NOT tag::dead_host

If the above does not work, you will need to create a list of dead hosts and pass those in via a csv file using inputcsv (outputcsv to create the list). The appended search would be similar to the above, but with a combination of inputcsv.

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

You can just do it in the search language, but the metadata command itself does not output tags. To get the tags decorated onto the hosts you have to pipe through the tags command.

See below:

| metadata type=hosts | tags | search NOT tag::dead

just tested it out with some ad-hoc tags in the search ui and it seems to work.

View solution in original post

sanju005ind
Communicator

Thanks nick your answer solves a host of problems I was facing.

0 Karma

sideview
SplunkTrust
SplunkTrust

friendly tip - you can add this as a comment on my answer rather than its own answer. and I can watch for the change and come back and delete this comment of my own later.

0 Karma

sideview
SplunkTrust
SplunkTrust

You can just do it in the search language, but the metadata command itself does not output tags. To get the tags decorated onto the hosts you have to pipe through the tags command.

See below:

| metadata type=hosts | tags | search NOT tag::dead

just tested it out with some ad-hoc tags in the search ui and it seems to work.

Simeon
Splunk Employee
Splunk Employee

I am not certain this will work, but you can try adding it to the end of your search:

... | search NOT tag::dead_host

If the above does not work, you will need to create a list of dead hosts and pass those in via a csv file using inputcsv (outputcsv to create the list). The appended search would be similar to the above, but with a combination of inputcsv.

0 Karma

djfisher
Explorer

Or can I insert a "search age < 430200" also for not older than 5 days.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...