Getting Data In
Highlighted

How do you exclude dead machines off the Lost Forwarders search.

Explorer

I use the recommended search below to find lost forwarders after a 24hr period.

http://www.splunk.com/wiki/Deploy:HowToFindLostForwarders

| metadata type=hosts | eval age = now() - lastTime | search age > 86400 | sort age d | convert ctime(lastTime) | fields age,host,lastTime

I had read in the documentation that if you wanted to exclude a dead machine off this search you could tag the host and exclude that tag from the search. How do I apply that exclusion to the above search if I have tag::host (dead)?

Or can I insert a "search age < 4302000" also?

I could not add a NOT for a tag since just metadata host was used. I did however add the | search NOT age < 860000 to not list host down over two weeks, ( presumed dead to me ).

Thanks

Tags (2)
Highlighted

Re: How do you exclude dead machines off the Lost Forwarders search.

Splunk Employee
Splunk Employee

I am not certain this will work, but you can try adding it to the end of your search:

... | search NOT tag::dead_host

If the above does not work, you will need to create a list of dead hosts and pass those in via a csv file using inputcsv (outputcsv to create the list). The appended search would be similar to the above, but with a combination of inputcsv.

View solution in original post

0 Karma
Highlighted

Re: How do you exclude dead machines off the Lost Forwarders search.

Explorer

Or can I insert a "search age < 430200" also for not older than 5 days.

0 Karma
Highlighted

Re: How do you exclude dead machines off the Lost Forwarders search.

SplunkTrust
SplunkTrust

You can just do it in the search language, but the metadata command itself does not output tags. To get the tags decorated onto the hosts you have to pipe through the tags command.

See below:

| metadata type=hosts | tags | search NOT tag::dead

just tested it out with some ad-hoc tags in the search ui and it seems to work.

View solution in original post

Highlighted

Re: How do you exclude dead machines off the Lost Forwarders search.

Communicator

Thanks nick your answer solves a host of problems I was facing.

0 Karma
Highlighted

Re: How do you exclude dead machines off the Lost Forwarders search.

SplunkTrust
SplunkTrust

friendly tip - you can add this as a comment on my answer rather than its own answer. and I can watch for the change and come back and delete this comment of my own later.

0 Karma