Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find non-monitored hosts

Muthu_Vinith
Path Finder
‎12-02-2023 03:28 AM

Hey All, 

I’m a splunk beginner I'm looking to create a query that to be used  as an alert, specifically to identify servers not in the _inventory – those not being monitored by Splunk. If anyone could share insights, examples

Thank You

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2023 03:44 AM

Splunk is not good at finding things that aren't there - essentially, you would have to provide a list of all the servers you expect to find and discount all those that you do find, leaving you a list of servers which haven't been found.

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 01:34 AM

I’ve a scenario where I want to compare of events from index=abc host=_inventory and  data from a lookup file that includes fields such as host, location, os, etc. The end goal is to point out servers that aren't being reported by Splunk. The structure of my Splunk events includes fields like location, tier, servers, and splunk_server. In the lookup file, I have fields like host, location, os, and more

I combined two data’s and what is the search condition to find out how servers are being monitored @ITWhisperer @PickleRick 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-04-2023 02:13 AM 
index=abc
| stats count by host
| inputlookup append=t yourlookup
| fillnull count
| stats sum(count) as count by host
| where count=0
0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 03:49 AM

This search will give results of servers that is not being reported Correct? @ITWhisperer 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-04-2023 04:05 AM

That's the idea - try it and see

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 08:01 PM

I tired this method but it's giving me servers that is  monitored @ITWhisperer 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-05-2023 03:39 AM

This sounds like a data issue - you should check which hosts are coming up as not being monitored and see why they are not showing up in your index.

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-05-2023 09:47 AM

Sure @ITWhisperer 

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 04:23 AM

Okay Thank you @ITWhisperer 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2023 03:44 AM

In splunk terminolgy it's not called "query" but "search".

Anyway, it's a common question how to "find" something that's not there.

See https://www.duanewaddle.com/proving-a-negative/

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...