Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find non-monitored hosts

Muthu_Vinith
Path Finder
‎12-02-2023 03:28 AM

Hey All, 

I’m a splunk beginner I'm looking to create a query that to be used  as an alert, specifically to identify servers not in the _inventory – those not being monitored by Splunk. If anyone could share insights, examples

Thank You

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2023 03:44 AM

Splunk is not good at finding things that aren't there - essentially, you would have to provide a list of all the servers you expect to find and discount all those that you do find, leaving you a list of servers which haven't been found.

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 01:34 AM

I’ve a scenario where I want to compare of events from index=abc host=_inventory and  data from a lookup file that includes fields such as host, location, os, etc. The end goal is to point out servers that aren't being reported by Splunk. The structure of my Splunk events includes fields like location, tier, servers, and splunk_server. In the lookup file, I have fields like host, location, os, and more

I combined two data’s and what is the search condition to find out how servers are being monitored @ITWhisperer @PickleRick 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-04-2023 02:13 AM 
index=abc
| stats count by host
| inputlookup append=t yourlookup
| fillnull count
| stats sum(count) as count by host
| where count=0
0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 03:49 AM

This search will give results of servers that is not being reported Correct? @ITWhisperer 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-04-2023 04:05 AM

That's the idea - try it and see

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 08:01 PM

I tired this method but it's giving me servers that is  monitored @ITWhisperer 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-05-2023 03:39 AM

This sounds like a data issue - you should check which hosts are coming up as not being monitored and see why they are not showing up in your index.

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-05-2023 09:47 AM

Sure @ITWhisperer 

0 Karma
Reply

Muthu_Vinith
Path Finder
‎12-04-2023 04:23 AM

Okay Thank you @ITWhisperer 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎12-02-2023 03:44 AM

In splunk terminolgy it's not called "query" but "search".

Anyway, it's a common question how to "find" something that's not there.

See https://www.duanewaddle.com/proving-a-negative/

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...