Re: How can I count by host?

Harish2 · ‎07-25-2023

index=abc sourcetype=app_logs
|stats count as events by host, host_ip
|where events >0

When i schedule this as alert i am receiving alert only when there is no data in all the hosts, but i need to get an alert if there is no data from any ONE host as well

how can i do this???

gcusello · ‎07-26-2023

Hi @Harish2 ,

the correct condition is event=0 but event=0 isn't listed because there aren't events.

To do this, you need a list of all hosts to monitor in a lookup (caled e.g. perimeter.csv) containing at lease one column (host) and then running a search like this:

index=abc sourcetype=app_logs
| stats count BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host ]
| stats sum(count) AS total 
| where total=0

Ciao.

Giuseppe

richgalloway · ‎07-25-2023

Finding something that is not there is not Splunk's strong suit. See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.

How can I count by host?

stats

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

How can I count by host?

stats

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar