Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use of IN Clause to find out available host in splunk

mchoudhary
Explorer
‎02-19-2025 08:32 AM

Hi Team,

I am a newbie in Splunk. I am using a basic IN clause in a search command to pull out the 36 windows server integration available or not in splunk.

index=* NOT index=_* host IN ("host1", "host2", "host3", ...., "host36")
| stats count by host

It gives me the servers which are available in splunk. I want to find out the missing ones and the available ones in this format-

hoststatus
host1Available
host2Available
host3Missing

I am using the below query but it only gives 6 statistics.

| makeresults count=1
| eval all_hosts="host1,host2,host3....host36"
| makemv delim="," all_hosts
| mvexpand all_hosts
| rename all_hosts AS host
| append [ search index=* NOT index=_* host=*
    | stats count by host ]
| stats values(count) AS event_count by host
| where host IN ("host1", "host2",....,"host36")
| eval status=if(isnull(event_count), "Missing", "Available")
| table host status
| sort status, host

 Can anyone please help me out what I am doing wrong.

Thanks in Advance!!

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-19-2025 09:37 AM

Try something like this

index=* NOT index=_* host=*
| stats count by host
| append
  [| makeresults
  | eval host=split("host1,host2,host3....host36",",")
  | mvexpand host
  | eval count=1]
| stats sum(count) AS event_count by host
| eval status=if(event_count = 1, "Missing", "Available")
| table host status
| sort status, host
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...