Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get list of host and source type which are not not sending data for last 24 hour.

chandanjaisal
Explorer
‎07-09-2015 04:15 AM

I have couples of host and each host has multiple source type, I want to list down host and source type which are not sending data for last 24 hours.

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-09-2015 04:41 AM

Run this search:

|noop  |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() - lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as "Seconds since Event" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z"

What is it doing? Well, noop stops Splunk from searching, and then we use two metadata commands to pull metadata information on hosts and sourcetypes. A little bit of eval/table/rename/convert trickery, and viola! A table of the hosts and sourcetypes with no events in the last 24 hours.

Reply

chandanjaisal
Explorer
‎07-10-2015 02:45 AM

Thanks Alacercogitatus for the reply.
I have executed your search query that is working fine. This query is also helpful for me, but here I have different requirement as following.

Host SourceType Status
host_1 sourcetype_1 Sending data
host_1 sourcetype_2 sending data
host_1 sourcetype_3 Not sending data for Last 24 hours

host_2 sourcetype_1 sending data
host_2 sourcetype_2 Not sending data for last 24 hours
host_2 sourcetype_3 sending data

Required OutPut:
host_1 Sourcetype_3 LastTime
host_2 sourcetype_2 LastTime

0 Karma
Reply
Get Updates on the Splunk Community!