Solved: Query for host not sending sourcetype

diegosainz · ‎05-24-2013

I am trying to find out how to identify which host(s) are not sending a particular datasource. Is there a query to identify this?

martin_mueller · ‎05-24-2013

There's a query for virtually everything 🙂

I'd go along this path: Compute a list of all your hosts and subtract the list of hosts sending the particular sourcetype... something like this:

| metadata type=hosts index=* | fields host | search NOT [search index=* sourcetype=particular | fields host | dedup host]

Note, replace index=* if you only want to search a specific set of indexes.

martin_mueller · ‎05-24-2013

There's a query for virtually everything 🙂

I'd go along this path: Compute a list of all your hosts and subtract the list of hosts sending the particular sourcetype... something like this:

| metadata type=hosts index=* | fields host | search NOT [search index=* sourcetype=particular | fields host | dedup host]

Note, replace index=* if you only want to search a specific set of indexes.

Query for host not sending sourcetype