Splunk Search

How to get list of host and source type which are not not sending data for last 24 hour.

chandanjaisal
Explorer

I have couples of host and each host has multiple source type, I want to list down host and source type which are not sending data for last 24 hours.

Tags (1)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Run this search:

|noop  |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() - lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as "Seconds since Event" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z"

What is it doing? Well, noop stops Splunk from searching, and then we use two metadata commands to pull metadata information on hosts and sourcetypes. A little bit of eval/table/rename/convert trickery, and viola! A table of the hosts and sourcetypes with no events in the last 24 hours.

chandanjaisal
Explorer

Thanks Alacercogitatus for the reply.
I have executed your search query that is working fine. This query is also helpful for me, but here I have different requirement as following.

Host SourceType Status
host_1 sourcetype_1 Sending data
host_1 sourcetype_2 sending data
host_1 sourcetype_3 Not sending data for Last 24 hours

host_2 sourcetype_1 sending data
host_2 sourcetype_2 Not sending data for last 24 hours
host_2 sourcetype_3 sending data

Required OutPut:
host_1 Sourcetype_3 LastTime
host_2 sourcetype_2 LastTime

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!