Re: How to find the missing source

splunkn · ‎09-23-2014

We are receiving various logs from many components. How to build a query to find the missing source.
I got the answer through lookup for unique logs such as /var/adm/corn.log ; /app/abc/srt.log
[By comparing the source in events against lookup values]

But Im not getting for the source which are using wildcards
For e.g Application app01 will have two host. Each having various logs
host1 - /app/abc/.log
host2- /app/cd/.log, /app/bcd/*.log

How to check these wildcard using sources with standard ones?

Any ideas?

alacercogitatus · ‎09-23-2014

You can use metadata. In a new search box:

 |metasearch host=<your_hosts> | streamstats dc(host) AS src_count by source | stats max(src_count) as cnt by source | where cnt < 2

This will search the metadata for the specified hosts, count the number of hosts by source, table the information using stats, and then return the sources with < 2 hosts. Those are the sources that are missing.

How to find the missing source

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation