Splunk Search

How to find the missing source

splunkn
Communicator

We are receiving various logs from many components. How to build a query to find the missing source.
I got the answer through lookup for unique logs such as /var/adm/corn.log ; /app/abc/srt.log
[By comparing the source in events against lookup values]

But Im not getting for the source which are using wildcards
For e.g Application app01 will have two host. Each having various logs
host1 - /app/abc/.log
host2- /app/cd/
.log, /app/bcd/*.log

How to check these wildcard using sources with standard ones?

Any ideas?

Tags (2)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You can use metadata. In a new search box:

 |metasearch host=<your_hosts> | streamstats dc(host) AS src_count by source | stats max(src_count) as cnt by source | where cnt < 2

This will search the metadata for the specified hosts, count the number of hosts by source, table the information using stats, and then return the sources with < 2 hosts. Those are the sources that are missing.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...