Splunk Search

How to generate a search that will let me know if Splunk is installed on a host and if the host is sending data or not?

sravankaripe
Communicator

how can i know that a particular host is sending data or not? and how can i know that the Splunk agent is installed in particular host or not? please help me with search query and what we have to observer from the search result.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sravankaripe,
If you want to know host that don't send log the solution from @sundareshr is perfect.
If you want to have a table with all the host and the indication of which are sending and which aren't sending you could use something like this:
|inputlookup hoslist.csv | eval count=0, host=lower(host) | append [ search index=_internal | eval host=lower(host) | stats count by host ] | stats sum(count) AS Total | rangemap field=Total severe=0-0 low=1-1000000000 default=severe
In this way hosts with severe aren't sending and host with low are sending.
You could also add a graphical representation using

script="table_icons_rangemap.js, stylesheet="table_decorations.css"

that you can take from the Splunk 6.0 Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

0 Karma

sundareshr
Legend

You will first need to create a list of all the hosts in your environment and use that to create a lookup file (csv file should have a field called host)

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup

ONce you have the lookup, you try this search

| inputlookup hostlist.csv | field host | search NOT [| metadata type=hosts index=*]
0 Karma

sravankaripe
Communicator

i know index=_internal sourcetype=splunkd

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...