How to get list of host and source type which are ...

chandanjaisal · ‎07-09-2015

I have couples of host and each host has multiple source type, I want to list down host and source type which are not sending data for last 24 hours.

alacercogitatus · ‎07-09-2015

Run this search:

|noop  |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() - lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as "Seconds since Event" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z"

What is it doing? Well, noop stops Splunk from searching, and then we use two metadata commands to pull metadata information on hosts and sourcetypes. A little bit of eval/table/rename/convert trickery, and viola! A table of the hosts and sourcetypes with no events in the last 24 hours.

chandanjaisal · ‎07-10-2015

Thanks Alacercogitatus for the reply.
I have executed your search query that is working fine. This query is also helpful for me, but here I have different requirement as following.

Host SourceType Status
host_1 sourcetype_1 Sending data
host_1 sourcetype_2 sending data
host_1 sourcetype_3 Not sending data for Last 24 hours

host_2 sourcetype_1 sending data
host_2 sourcetype_2 Not sending data for last 24 hours
host_2 sourcetype_3 sending data

Required OutPut:
host_1 Sourcetype_3 LastTime
host_2 sourcetype_2 LastTime

How to get list of host and source type which are not not sending data for last 24 hour.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...