Splunk Search

Check multiple hosts for existence

seva98
Path Finder

I have list of around 100 hosts that are sending data to index and I would love to return a table with hostname and status of 0 (didn't receive any date from it in selected time range) and 1 (did receive the data).

I am able to search through multiple hosts with OR like `host=test1 OR host=test2 OR ...` but I am not sure how to display status 0 at hosts that are not found.

What would be efficient solution for this please?

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
See https://www.duanewaddle.com/proving-a-negative/
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust
See https://www.duanewaddle.com/proving-a-negative/
---
If this reply helps you, Karma would be appreciated.

seva98
Path Finder

Thanks Rich, that is so simple but also very scaleable solution.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...