Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find hosts without logs by time?

skottska
New Member
‎05-22-2019 01:50 AM

Hi

I have a query which finds hosts without logs for the whole search and it looks like this:

  • | inputlookup hosts.csv | search NOT [search index=prod ("successfully placed") | dedup host | table host]

What I would like to be able to do is to split this over _time so that I can search for say "over the last 24 hours, which minutes have no logs by host".

I've tested with trying to squeeze in "bucket _time span=1m" but I can't figure out how to combine this with my host.csv lookup.

Anyone got any tips?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎12-20-2019 02:08 AM

Like this:

| tstats count WHERE index=* BY host _time span=1m
| timechart limit=0 span=1m first(count) AS count BY host
| fillnull value=0
| untable _time host count
| where count=="0"

I do not see any reason to filter, but if you do, then add this:

| lookup hosts.csv host OUTPUT host AS found
| where isnotnull(found)
| fields - found
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-19-2019 12:13 AM

Hi @skottska,
you have to create a lookup (called e.g. perimeter.csv, containing at least one field, host, and eventually other information that are useful for you, e.g. from a CMDB) and run something like this:

| metasearch your_search
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval count=0, eval host=lower(host) | fields host ]
| stats sum(count) AS total BY host
| where total=0

It's better to have the search as main search and the lookup in the append because there's the limit of 50,000 results in subsearches and you can use the command | metasearch to speed your search.

If you don't use the last row (| where total=0), you can have the status of you perimeter, that you can also display in graphic mode with icons.

Ciao.
Giuseppe

0 Karma
Reply

drodman29
Path Finder
‎12-18-2019 10:42 AM

This is what I wrote for my system, the asset file contains the short name as Host and an Environment Column.

| inputlookup MyAssets.csv | append [search * | rex field=host "^(?\w*).?" | stats count by Host ] | fillnull value=0 count | stats values(Environment) as Environment, sum(count) as Events by Host | fillnull value="Unknown Asset Reporting" Environment

Hosts with 0 events are not reporting, and Hosts with Unknown environments are unknown assets.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...