Any idea how to create a search that finds hosts that are sending BOTH syslog and splunkd traffic? We'd like to turn off syslog for these hosts.
what about this?
[search sourcetype=splunkd | dedup host | fields + host] sourcetype=syslog
subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes.
what about this?
[search sourcetype=splunkd | dedup host | fields + host] sourcetype=syslog
subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes.
What always springs to my mind for this kind of goal is:
3 is a bit clumsy. You can do it with the set command, but it is the clumsy part.
The Search & Indexing team is much more fond of a declarative sql-like style, and may have a more clever variation.
There's always the simplistic approach:
For the last 24 hours:
sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype
Then review the data manually
If you wanted to get very fancy you could filter with something like:
sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype | transaction host | search linecount=2