- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How search total number services count based on ho...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How search total number services count based on host?
hai all,
i am checking about list of services down based on a host using below search
index=ivz_unix* Service source="Unix:Service" status=stopped
what was the search query use to check list of services down for a host based on host name.
for example i want to see for a host these services are in stopped state.
please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not getting anything while checking with this
actually i want create a view as to check list of services in stopped state based on hostname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps if you could share some of your events (anonymised of course) and which fields you already have extracted, we might be able to help you a bit more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi events as for unix services data for source type Unix:Service"
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-readahead-done.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Stop Read-Ahead Data Collection"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-readahead-collect.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Collect Read-Ahead Data"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-modules-load.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Load Kernel Modules"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=systemd-ask-password-plymouth.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Forward Password Requests to Plymouth"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rpc-statd-notify.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Notify NFS peers of a restart"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rhel-autorelabel.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Relabel all filesystems, if necessary"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=rhel-autorelabel-mark.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Mark the need to relabel after reboot"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=pxp-agent.service, LOADED=not-found, ACTIVE=inactive, SUB=dead, DESCRIPTION="pxp-agent.service"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
10/26/22
2:36:57.000 PM
Wed Oct 26 09:36:57 CDT 2022 type=systemctl UNIT=plymouth-quit-wait.service, LOADED=loaded, ACTIVE=inactive, SUB=dead, DESCRIPTION="Wait for Plymouth Boot Screen to Quit"
host = usinfsmbcld100source = Unix:Servicesourcetype = Unix:Service
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What fields do you already have extracted?
Which part of the event tells you what the service is?
Which part of the event tells you the status of the service?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Already extracted the fields host , service name ,description and status
so i want to know how many services are down for a host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note that you will have to use the correct field names and values for your usecase and that the where command is case-sensitive
index=ivz_unix* Service source="Unix:Service"
| stats latest(status) as status by host Service
| where status="stopped"
| stats count by host- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
its giving 0 results
but while it has data,how we can filter to list only services for a host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends what events you have in your index (which you haven't shared).
Having said that, perhaps you want the latest status of the services on each host and count the number in the stopped state?
index=ivz_unix* Service source="Unix:Service"
| stats latest(status) as status by host Service
| where status="stopped"
| stats count by host
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
