Splunk Search

Create dashboard for hosts that have no results from a specific sourcetype

croseberry
Engager

Hey guys I'm trying to create a dashboard that shows any host with a group of specified hosts that are not returning data from a specific source type

So what I have been trying so far to no success is 

Index=xyz Host=abc  Sourcetype=def 
|  timechart span=30min count by host
Where count < 1
usenull=f useother=f

This won't show anything because it going to have no events to report but I'm not sure how I can create a variable base upon have no results back within a specific time then do a timechart base upon the new variable by host

Unless I'm going about this completely wrong lol please help 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...