Splunk Search

Find hosts which are not reporting by both hostname or IP


Hello All

I originally asked a similar question


It did seem to work but, it now seems not to be working. So here is what I am doing.

  • Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks
  • I take results from Qualys scan and place into a lookup file called dmzhosts.csv
  • I then take the dmzhosts.csv and run a search for hostname or IP address against index=. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search: `index= [ inputlookup dmzhosts.csv | table IP | rename IP AS host | format] OR [ inputlookup dmzhosts.csv | table hostname | rename hostname AS host | format] | eval host=upper(host) | stats count by host | append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count] | stats sum(count) AS Total by host | where Total=0 | outputlookup missingdmzhosts.csv`

The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.

any help would be appreciated.


Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...