I need to find the missing list of process from a list of hosts and setup an alert
There will be number of process ~ 16 process to be monitored on number of hosts.
I need some help in evaluating which process is missing
I can take lookup file approach but would like to do a search and eval with out using a lookup.
I tried this way
earliest=-10m@m (index=os* OR index=matrix_os) source=ps host=abc* |rex field=COMMAND "somename\/(?[^\/]*)/httpd/sbin/httpd" |stats count by inst host |eval mylist="inst0,inst1,test1,test2" |eval procname=split(mylist,",")|mvexpand procname|eval is_running=if(match(procname, inst),1,0)|table is_running host inst count procname
This lists out all matching and non matching . I want to just list out where procname=test1 on host which is not found.
Do it like this (will need adjustment; this is run-anywhere):
index=_* | append [| makeresults | fields - _time | rename COMMENT1of2 AS "All real events will have a 'host' value, but these 'sentinel' events will not" | rename COMMENT2of2 AS "This section would best be done as a 'lookup' using '|inputlookup append=t' instead of '|makeresults'." | eval sourcetype="audittrail kvstore mongod scheduler splunk_disk_objects splunk_python splunk_resource_usage splunk_web_access splunk_web_service splunkd splunkd_access splunkd_ui_access ta_snow ta_snow_util this_will_never_have_data" | makemv sourcetype] | stats count(host) AS count BY sourcetype | eval is_running=if((count>0), 1, 0)