Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I know if a host is not sending me data?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I know if a host is not sending me data?
If I have a lookup table formatted like this:
lookup_host,os
host1,linux
host2,linux
host3,sunos
And say I'm sending data to: source=/data/unix/syslog.log
In my search, I can do something like:
source=/data/unix/syslog.log os=linux ... and that correctly shows me everything received from host1 and host2 ...
But, I'd like to be able to use the lookup table to tell me who's not sending me data.
Not quite sure how I would format a search to do that.
Thanks very much, hopefully I made this fairly clear ...
Paul Keller
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can query the lookup file first and then remove ones that you are receiving data from. Suppose that you had a search that returned the list of hosts that you are receiving data from like:
source=/data/unix/syslog.log os=linux | stats count by host |rename host as lookup_host|fields +lookup_host
Then you could use something like:
| inputlookup lookupfile |search NOT [source=/data/unix/syslog.log | stats count by host |rename host as lookup_host|fields +lookup_host] |fields +lookup_host
You can then create an alert if this returns any lines.
That should return
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you ... I did manage to get the data I needed using:
source=/data/unix/syslog.log | inputlookup append=true lookupfile| stats count(linecount) as linecount by lookup_host | where linecount < 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to add [search source=...] This is the syntax for a subsearch.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I tried this, but received an error that seemed to occur at the [source=/data/unix/syslog.log point ... It says: "Search operation 'source' is unknown. You might not have permission to run this operation"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for responding ... I'm looking for the latter ... those who have never sent any data. ( Or maybe no data in the past 30 days ... ) but never would be a good jumping off point. cheers-Paul
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do want to know last time it sent you data and hasnot send any since a while or just those who never sent you data?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
