Splunk Search

Find hosts which are not reporting by both hostname or IP


Hello All

I originally asked a similar question


It did seem to work but, it now seems not to be working. So here is what I am doing.

  • Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks
  • I take results from Qualys scan and place into a lookup file called dmzhosts.csv
  • I then take the dmzhosts.csv and run a search for hostname or IP address against index=. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search: `index= [ inputlookup dmzhosts.csv | table IP | rename IP AS host | format] OR [ inputlookup dmzhosts.csv | table hostname | rename hostname AS host | format] | eval host=upper(host) | stats count by host | append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count] | stats sum(count) AS Total by host | where Total=0 | outputlookup missingdmzhosts.csv`

The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.

any help would be appreciated.


Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...