Solved: hosts not reporting - Splunk Community

Monitoring Splunk

I have following search. how can I add indexes information in the results:

|tstats max(_time) as _time, where index=windows by host,index
|append [|metadata type=hosts index=win index=linux ]
| eval now=now() | eval diff= now - lastTime | search diff > 18000 | eval notreportingsince=tostring(diff,"duration")
| table host lastTime notreportingsince | convert ctime(lastTime) as lastTime
| table host notreportingsince lastTime,index

1 Solution

Solution

Try something like this

|tstats max(_time) as _time, where index=windows [|metadata type=hosts index=win index=linux 
| eval now=now() | eval diff= now - lastTime | where diff > 18000 | table host ] by host,index

View solution in original post

hi @ITWhisperer , I just need a list of hosts which are not reporting since last 5 days along with index information.

Solution

Try something like this

|tstats max(_time) as _time, where index=windows [|metadata type=hosts index=win index=linux 
| eval now=now() | eval diff= now - lastTime | where diff > 18000 | table host ] by host,index

What is it that you are trying to achieve that metadata is not giving you?

Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...