I have couples of host and each host has multiple source type, I want to list down host and source type which are not sending data for last 24 hours.
Run this search:
|noop |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() - lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as "Seconds since Event" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z"
What is it doing? Well, noop
stops Splunk from searching, and then we use two metadata
commands to pull metadata information on hosts and sourcetypes. A little bit of eval/table/rename/convert trickery, and viola! A table of the hosts and sourcetypes with no events in the last 24 hours.
Thanks Alacercogitatus for the reply.
I have executed your search query that is working fine. This query is also helpful for me, but here I have different requirement as following.
Host SourceType Status
host_1 sourcetype_1 Sending data
host_1 sourcetype_2 sending data
host_1 sourcetype_3 Not sending data for Last 24 hours
host_2 sourcetype_1 sending data
host_2 sourcetype_2 Not sending data for last 24 hours
host_2 sourcetype_3 sending data
Required OutPut:
host_1 Sourcetype_3 LastTime
host_2 sourcetype_2 LastTime