Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a query that lists those switches not reporting to be able to create a dashboard

waJesu
Path Finder
‎04-01-2022 08:19 AM

I have a list of switches on our network and once in a while some of them stop reporting to Splunk. I need a query that lists those switches not reporting to be able to create a dashboard

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-01-2022 08:25 AM

Hi @waJesu,

many of these devices send very few logs to Splunk so it isn't so easy define when there's a problem.

Anyway, if you have a list of these devices to monitor, you have to put all their hostnames in a lookup (called e.g. perimeter.csv) containing one column (called e.g. host, but it isn't a problem to use adifferent filename).

Then you have to run a search like this:

| metasearch index=your_index
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

where "your_index" is the index where you are storing the logs from your devices.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...