Splunk Search

How to generate a search that will let me know if Splunk is installed on a host and if the host is sending data or not?

sravankaripe
Communicator

how can i know that a particular host is sending data or not? and how can i know that the Splunk agent is installed in particular host or not? please help me with search query and what we have to observer from the search result.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sravankaripe,
If you want to know host that don't send log the solution from @sundareshr is perfect.
If you want to have a table with all the host and the indication of which are sending and which aren't sending you could use something like this:
|inputlookup hoslist.csv | eval count=0, host=lower(host) | append [ search index=_internal | eval host=lower(host) | stats count by host ] | stats sum(count) AS Total | rangemap field=Total severe=0-0 low=1-1000000000 default=severe
In this way hosts with severe aren't sending and host with low are sending.
You could also add a graphical representation using

script="table_icons_rangemap.js, stylesheet="table_decorations.css"

that you can take from the Splunk 6.0 Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

0 Karma

sundareshr
Legend

You will first need to create a list of all the hosts in your environment and use that to create a lookup file (csv file should have a field called host)

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup

ONce you have the lookup, you try this search

| inputlookup hostlist.csv | field host | search NOT [| metadata type=hosts index=*]
0 Karma

sravankaripe
Communicator

i know index=_internal sourcetype=splunkd

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...