How to create a query that lists those switches no...

waJesu · ‎04-01-2022

I have a list of switches on our network and once in a while some of them stop reporting to Splunk. I need a query that lists those switches not reporting to be able to create a dashboard

gcusello · ‎04-01-2022

Hi @waJesu,

many of these devices send very few logs to Splunk so it isn't so easy define when there's a problem.

Anyway, if you have a list of these devices to monitor, you have to put all their hostnames in a lookup (called e.g. perimeter.csv) containing one column (called e.g. host, but it isn't a problem to use adifferent filename).

Then you have to run a search like this:

| metasearch index=your_index
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

where "your_index" is the index where you are storing the logs from your devices.

Ciao.

Giuseppe

How to create a query that lists those switches not reporting to be able to create a dashboard

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

How to create a query that lists those switches not reporting to be able to create a dashboard

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem