How do I check if Splunk is ingesting logs from a certain host /server or type of logs received? I need to validate if a certain server / host is sending data to Splunk please? Thank u in advance.
Hi @SamHTexas,
let me understand: you want to check if a list of hosts (from a lookup) is sending a kind of log, is it correct?
if this is your need, you have to do two preparatory activities:
then you have to run a search like this:
index=wineventlog EventCode=4624
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count AS total BY host
| where total=0
In this way you have the list of the hosts from the lookup that didn't send logs og that kind.
Ciao.
Giuseppe
Grazie for your response. Let's say we have a server called server5. I am trying to see if there are any logs being ingested into Splunk enterprise at all. So how do I search for that please? Thank u again.
Hi @SamHTexas,
if you have to check if you're receiving some kind of log from a single server still it's easier:
index=* host=server5
The rule is:
if you have one host you can use a simple search like the above,
if instead you have more servers, i's better to use a lookup and the search of the previous answer.
Ciao.
Giuseppe