I have one index that I've extracted a list of hostnames from. The search looks like this
index=support source=*splunkLogs*|rex "(apache|weblogic)\/(?<hosts>\w+)"|dedup hosts|table hosts|sort hosts
The search provides a list of hosts like this
cox_cpe1 cox_cpe2 cox_cpe3 cox_cpe4 cox_cpe5 cox_cpe6 cox_portal1 cox_portal2 cox_portal3 cox_portal4 etc etc....
I then need to search through another index to make sure that hostname and sourcetype (sourcetype will be 1 of 2 values either accesscombined or wlsmanagedserver) exists by day.
For example if coxcpe1 with a sourcetype of accesscombined exists for October 23rd then move on.... If it doesn't then capture that and proceed on to the next host from the list.
The first search was easy enough, not sure where to begin on the second one.
If the number of searches doesn't change that frequently (like hourly), they I would setup first search as daily scheduled saved search to save the list of servers in a lookup table file. I would then use this lookup table in second search so to avoid querying first index every time.
Search !: Scheduled to run daily, looking back last 24 Hr OR yesterday time range.
index=support source=*splunkLogs*|rex "(apache|weblogic)\/(?<host>\w+)"|stats count by host|table host | inputlookup host_lookup.csv append=t | dedup host |outputlookup host_lookup.csv
Search 2: Check if the hosts from lookup are reporting with those two sourcetypes, for specific time range
index=yourIndex sourcetype=access_combined or sourcetype=wls_managedserver [| inputlookup host_lookup.csv | table host ] | chart count over host by sourcetype | inputlookup host_lookup.csv append=t | stats values(*) as * by host
To find host which have not reported, just add
| where isnull(access_combined) OR isnull(wls_managedserver) to the end.
Hmmmm, odd..... I don't get any results from Search 2 with or without the isnull.
hang on found one syntax error (lowercase or) now testing 🙂
Poomp... I also made a type in last stats (used hosts instead of host). Fixed.
tks!!!! Works like a charm 🙂
One day I hope to be as smart as you guys!