Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a query that lists those switches not reporting to be able to create a dashboard

waJesu
Path Finder
‎04-01-2022 08:19 AM

I have a list of switches on our network and once in a while some of them stop reporting to Splunk. I need a query that lists those switches not reporting to be able to create a dashboard

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-01-2022 08:25 AM

Hi @waJesu,

many of these devices send very few logs to Splunk so it isn't so easy define when there's a problem.

Anyway, if you have a list of these devices to monitor, you have to put all their hostnames in a lookup (called e.g. perimeter.csv) containing one column (called e.g. host, but it isn't a problem to use adifferent filename).

Then you have to run a search like this:

| metasearch index=your_index
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0

where "your_index" is the index where you are storing the logs from your devices.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...