Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Checking Host's status as offline or online by comparing data from today vs yesterday

mbasharat
Builder
‎04-15-2020 06:49 AM

Hi,

I have vulnerability scanner that scans all device on our network every day. The agent of vulnerability scanner is on all endpoints being scanned. When an endpoint is offline or being rebooted, it misses the scan and does not appear in scan so does not appear in Splunk.

What I need is, I need a Splunk search that tells me the status of endpoint being online/offline by using above data. For example, is it possible to compare yesterday's data when endpoint appeared on scan vs today when an endpoint did not appear in scan and show results as below?

alt text

Labels (2)
Labels
Tags (1)
Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-15-2020 08:06 AM

If you can assume that each host will have been checked at least once in the last 48 hours, and if they all get the exact same time when they are scanned, then you could do something like this:

your search that gets _time and Server for all scans for the last 48 hours
| fields _time Server
| stats min(_time) as minTime max(_time) as maxTime by Server
| eventstats max(maxTime) as latestTime
| eval Status=if(maxTime=latestTime,"Online","Offline") 
| addinfo 
| eval AsOfTime =strftime(info_max_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval minTime  =strftime(minTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval _time = maxTime
| eval maxTime  =strftime(maxTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval latestTime  =strftime(latestTime,"%Y-%m-%d %H:%M:%S.%3Q")
| table Server _time Status minTime maxTime latestTime

If the servers do not all get identical scan times, then do this: 

your search that gets _time and Server for all scans for the last 48 hours
| fields _time Server
| stats min(_time) as minTime max(_time) as maxTime by Server
| eventstats max(maxTime) as latestTime
| eval splitTime=latestTime - 24*3600
| eval Status=if(maxTime>splitTime,"Online","Offline") 
| addinfo 
| eval AsOfTime =strftime(info_max_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval minTime  =strftime(minTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval _time = maxTime
| eval maxTime  =strftime(maxTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval latestTime  =strftime(latestTime,"%Y-%m-%d %H:%M:%S.%3Q")
| table Server _time Status minTime maxTime latestTime

In the above outputs, LatestTime is the last scan that was performed for any Server, _time and maxTime are the latest scan time for that Server, and minTime is the earliest scan time for that server.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎04-15-2020 10:54 AM

While not a direct solution, you can always look into the use of sentinel values. I found this Splunk .conf 2015 presentation helpful, with focus on slide 25.

The challenge you describe is identifying what is missing, which is hard to do if you don't know what should exist in the first place. It's like asking a classroom: "OK, who isn't here today?"

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-15-2020 08:06 AM

If you can assume that each host will have been checked at least once in the last 48 hours, and if they all get the exact same time when they are scanned, then you could do something like this:

your search that gets _time and Server for all scans for the last 48 hours
| fields _time Server
| stats min(_time) as minTime max(_time) as maxTime by Server
| eventstats max(maxTime) as latestTime
| eval Status=if(maxTime=latestTime,"Online","Offline") 
| addinfo 
| eval AsOfTime =strftime(info_max_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval minTime  =strftime(minTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval _time = maxTime
| eval maxTime  =strftime(maxTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval latestTime  =strftime(latestTime,"%Y-%m-%d %H:%M:%S.%3Q")
| table Server _time Status minTime maxTime latestTime

If the servers do not all get identical scan times, then do this: 

your search that gets _time and Server for all scans for the last 48 hours
| fields _time Server
| stats min(_time) as minTime max(_time) as maxTime by Server
| eventstats max(maxTime) as latestTime
| eval splitTime=latestTime - 24*3600
| eval Status=if(maxTime>splitTime,"Online","Offline") 
| addinfo 
| eval AsOfTime =strftime(info_max_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval minTime  =strftime(minTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval _time = maxTime
| eval maxTime  =strftime(maxTime,"%Y-%m-%d %H:%M:%S.%3Q")
| eval latestTime  =strftime(latestTime,"%Y-%m-%d %H:%M:%S.%3Q")
| table Server _time Status minTime maxTime latestTime

In the above outputs, LatestTime is the last scan that was performed for any Server, _time and maxTime are the latest scan time for that Server, and minTime is the earliest scan time for that server.

0 Karma
Reply
Solved! Jump to solution

mbasharat
Builder
‎04-15-2020 11:06 AM

Thanks @ Daljeanis!!! I used the second option as all scan times are different. Tiny typo adjustment from mintime to minTime @ last line 🙂

Reply
Solved! Jump to solution

DalJeanis
Legend
‎04-15-2020 01:55 PM

Great. Glad we could help. Typos fixed.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-15-2020 07:31 AM

why do you compare the results?
today' s status is missing, status is offline.
Is this enough?

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...