Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create timechart of events from servers that appeared last week, but not the last 24 hours?

yanivamram
Path Finder
‎08-14-2014 01:11 PM

Hi,
I have hundreds of servers that report to Splunk.
I would like to create a timechart that will include only events from servers that didn't report in last 24 hours (but did report in the past week).

What is the best way to do that?

Thanks,

Yaniv

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 02:05 PM

You could do this:

| tstats count where index=yourindex AND
    [ tstats latest(_time) as latest where index=yourindex by host
    | where latest < relative_time(now(), "-24h") | fields host ]
  by _time host | timechart count by host

Run that over the last 7 days.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 02:05 PM

You could do this:

| tstats count where index=yourindex AND
    [ tstats latest(_time) as latest where index=yourindex by host
    | where latest < relative_time(now(), "-24h") | fields host ]
  by _time host | timechart count by host

Run that over the last 7 days.

Reply
Solved! Jump to solution

yanivamram
Path Finder
‎08-17-2014 12:12 AM

Thanks Martin,
It was very helpful 🙂

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 02:47 PM

Sure. Same strategy, except that - unless the field is indexed - you can't speed things up with tstats so it'd look like this:

index=yourindex sourcetype=yoursourcetype
  [ search index=yourindex sourcetype=yoursourcetype | stats latest(_time) as latest by ServerName | where latest < relative_time(now(), "-24h") | fields ServerName ]
| timechart count by ServerName
Reply
Solved! Jump to solution

yanivamram
Path Finder
‎08-14-2014 02:34 PM

Thanks for the quick response.
I probably didn't explain myself properly 😞
I've a log collector that write a single log file from many servers, and this log reported to Splunk.
So the Server that I'm looking for is part of the event reported to Splunk(it is NOT the 'host' field).
The log will look like:
ServerName=

is that doable to search for all Servers that appeared in last week but doesn't appear in last 24H?

Thanks again,
Yaniv

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...