Splunk Search

Find hosts which are not reporting by both hostname or IP


Hello All

I originally asked a similar question


It did seem to work but, it now seems not to be working. So here is what I am doing.

  • Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks
  • I take results from Qualys scan and place into a lookup file called dmzhosts.csv
  • I then take the dmzhosts.csv and run a search for hostname or IP address against index=. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search: `index= [ inputlookup dmzhosts.csv | table IP | rename IP AS host | format] OR [ inputlookup dmzhosts.csv | table hostname | rename hostname AS host | format] | eval host=upper(host) | stats count by host | append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count] | stats sum(count) AS Total by host | where Total=0 | outputlookup missingdmzhosts.csv`

The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.

any help would be appreciated.


Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...