Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get only active hosts?

Stephcg
Explorer
‎01-20-2023 04:24 PM

I have an application that have some instances/hosts. Because of change of throughput or instability new instances/hosts can be initiated and old can be terminated.
There are many different events/logs being registered. 

When a new instance/host is initiated it shows the following event/log:

1/20/23
6:00:01.256 PM
 
[app=gateway-example-app, traceId=, spanId=, INFO 1 [ main] gateway.GatewayApplicationKt : Started GatewayApplicationKt in 21.081 seconds (JVM running for 48.641)
  • host = ip-example-of-ip-01
  • source = http:source-example
  • sourcetype = example-sourcetype 

 

When an instance is terminated, it shows the following log:

1/20/23
3:53:42.778 PM
 
CoreServiceImpl INFO: JVM is shutting down
  • host = ip-example-of-ip-02
  • source = http:source-example
  • sourcetype = example-sourcetype 



Is there a way of getting a list of hosts that have the log of initialization, but don't have the log of termination? 
In other words, a list of currently active hosts?

Thank you for any help in advance. And sorry if I wrote anything wrong, english is not my main language.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:21 PM

Hi @Stephcg,

There are other ways but the below should work for your case;

index=application source=http:source-example sourcetype=example-sourcetype ("is shutting down" OR "Started") 
| dedup host 
| search "Started"
| table _time host

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-20-2023 06:21 PM

Hi @Stephcg,

There are other ways but the below should work for your case;

index=application source=http:source-example sourcetype=example-sourcetype ("is shutting down" OR "Started") 
| dedup host 
| search "Started"
| table _time host

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Stephcg
Explorer
‎01-21-2023 12:19 PM

That worked perfectly! Thank you so much for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...