how can i know that a particular host is sending data or not? and how can i know that the Splunk agent is installed in particular host or not? please help me with search query and what we have to observer from the search result.
Hi sravankaripe,
If you want to know host that don't send log the solution from @sundareshr is perfect.
If you want to have a table with all the host and the indication of which are sending and which aren't sending you could use something like this:
|inputlookup hoslist.csv | eval count=0, host=lower(host) | append [ search index=_internal | eval host=lower(host) | stats count by host ] | stats sum(count) AS Total | rangemap field=Total severe=0-0 low=1-1000000000 default=severe
In this way hosts with severe aren't sending and host with low are sending.
You could also add a graphical representation using
script="table_icons_rangemap.js, stylesheet="table_decorations.css"
that you can take from the Splunk 6.0 Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).
Bye.
Giuseppe
You will first need to create a list of all the hosts in your environment and use that to create a lookup file (csv file should have a field called host)
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup
ONce you have the lookup, you try this search
| inputlookup hostlist.csv | field host | search NOT [| metadata type=hosts index=*]
i know index=_internal sourcetype=splunkd