Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Find a host that is reporting to one index, but not another.

lhanich1
Path Finder
‎02-21-2019 09:27 AM

I am attempting the following:

Find hosts that are logging to one index but not the other by the host field.

Use case, find hosts reporting via AWS API but are not logging host logs via OS UF.

I have tried a left join but my results are not consistent and have spent countless time trying to come to a solution.

Thanks in advance.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎02-21-2019 09:37 AM

Try like this (assuming you don't need any other filter than on 'index' field to select your data

| tstats count WHERE index="AWS API index name here" OR index="OS UF index name here" by host index
| stats values(index) as indexes by host
| where mvcount(indexes)=1  AND index="AWS API index name here"
Reply

lhanich1
Path Finder
‎02-21-2019 09:53 AM

this actually doesnt return any results for some reason, i do have other fields i am filtering on.... but i did try the query as suggested to see the outcome but no results

0 Karma
Reply

somesoni2
Revered Legend
‎02-21-2019 09:58 AM

What's the query you tried? Also could you share your full query with additional filters? (mast anything sensitive)

0 Karma
Reply

pkeenan87
Communicator
‎02-21-2019 09:36 AM

I am going to assume that every host that reports into the aws index should also report into the os index. Something like this could work for you

index=index_one OR index=index_two | stats dc(index) as indexes_reporting values(index) as index_names by host | where indexes_reporting=1

This should return the hosts that are only reporting into one of the two indexes. The index that they are reporting into will be in the index_names field.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...