Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype Identification

Sandy
Explorer
‎01-27-2022 04:40 AM

Hi,

There is some host which is reporting to Splunk with a different sourcetype. We want to filter all the host which is only reporting for XYZ sourcetype. And host needs to be shown if it's reporting for XYZ sourcetype along with any other sourcetype. could you please help us on this query.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-27-2022 05:49 AM

Let me rephrase this because it's not obvious what you need.

I understand that you have a bunch of hosts (let's say host1, host2, ... hostn) from which you're receiving various events with various sourcetypes.

And you want to know if - for each host - sourcetypes for events from this host include XYZ or not.

So effectively you need a table like

HostSends XYZ
host1Yes
host2no
... 
hostnno

 

If so, you might do

| tstats values(sourcetype) as sourcetypes where index=* by host
| eval SendsXYZ=if(sourcetypes="XYZ","Yes,"No")
| fields - sourcetypes

Of course if you want to limit your search to a subset of your indexes, you might edit the index=* condition.

 

0 Karma
Reply

Sandy
Explorer
‎01-27-2022 08:38 AM

Pleas find the exact requirement below:

Consider same hosts like (Host1, Host2, Host3) and sourcetypes like (abc, def, xyz) which have a reporting table as below,

Host Name

Sourcetype Reporting

Host1

abc,  xyz

Host2

xyz

Host3

abc,  def,  xyz

 

Here, as you see, Host1 & Host3 are reporting to other sourcetype as well apart from xyz. I want to filter the host having only xyz as the sourcetype. So, in this case it would be Host2.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-27-2022 09:10 AM

Then you could try something like this (please check syntax as I haven’t splunk on my hands to check it)

| tstats count values(sourcetype) as sts where index=* AND sourcetype="<your sourcetype>" by host
| where count > 0 AND mvcount(sts) = 1
| fields - count sts

 r. Ismo

Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-27-2022 09:06 AM

Ok. So my solution was relatively close. The firsf part was ok. That's how you get the aggregation

| tstats values(sourcetype) as sourcetypes where index=* by host

This will give you a table very similar to the one you posted.

Now all you need to do is to filter it to only include the ones that have anything else than xyz.

To be fully precise, you want the ones that might include xyz but not as a single value but when you join it with the requirement that there must be a sourcetype for every event (so you won't get empty sourcetypes from the aggregation above), you just need to find those entries which contain a value that is different than xyz.

| where sourcetypes!="xyz"

Luckily the match for multivalued fields is evaluated on every value from such field and matches if the condition is fulfilled for anymof the values.

Reply

jotne
Builder
‎01-27-2022 04:48 AM

Here is what I do:

    your search
    | eval test=if(sourcetype="xyz",1,0)

Then you have a field that is 1 for xyz sourcetype and 0 for all other.

Reply

Sandy
Explorer
‎01-27-2022 05:10 AM

Hi Jotne,

We see that for all the host it is showing as 0 only, could you please guide me what changes required.

0 Karma
Reply

jotne
Builder
‎01-27-2022 07:40 AM

Post some example data and how you like the result to be.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...