Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a query that lists those switches not reporting to be able to create a dashboard

waJesu
Path Finder
‎04-01-2022 08:19 AM

I have a list of switches on our network and once in a while some of them stop reporting to Splunk. I need a query that lists those switches not reporting to be able to create a dashboard

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-01-2022 08:25 AM

Hi @waJesu,

many of these devices send very few logs to Splunk so it isn't so easy define when there's a problem.

Anyway, if you have a list of these devices to monitor, you have to put all their hostnames in a lookup (called e.g. perimeter.csv) containing one column (called e.g. host, but it isn't a problem to use adifferent filename).

Then you have to run a search like this:

| metasearch index=your_index
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

where "your_index" is the index where you are storing the logs from your devices.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...