Splunk Search

How to get the latest host value which is sending logs by comparing 2 hosts?

raj_mpl
Path Finder

Hi ,

I have search like below where the logs are coming from the fig1,fig4,fig5,fig6 indexes from either of the 2 hosts say host1 and host2.  So at a time 2 hosts won't send logs and only any of the host will be sending the logs actively to fig1 index with source type as abc.

 

 

| tstats latest(_time) as latest_time WHERE (index = fig*) (NOT index IN (fig2,fig3,)) sourcetype="abc" by host index sourcetype | eval silent_in_hours=round(( now() - latest_time)/3600,2)  | where silent_in_hours>20 | eval latest_time=strftime(latest_time, "%m/%d/%Y %H:%M:%S")

 

 


I want to build logic to display if any of the host1 or host2 is sending the logs then the above query should not give any o/p (should not display the silent host because we are getting the log from other host).

Thanks in advance

Labels (3)
0 Karma

somesoni2
Revered Legend

Give this a try

| tstats latest(_time) as latest_time WHERE (index = fig*) (NOT index IN (fig2,fig3,)) sourcetype="abc" by host index sourcetype | eval silent_in_hours=round(( now() - latest_time)/3600,2) | where silent_in_hours>20 | stats dc(host) as silent_hosts max(latest_time) as latest_time by index source type | where silent_hosts=2 | eval latest_time=strftime(latest_time, "%m/%d/%Y %H:%M:%S")
0 Karma

raj_mpl
Path Finder

Hi @somesoni2 , Thanks for your reply

I tried the spl that you gave but its condition Is always looking for the silent_hosts count is 2.

where silent_hosts=2

Which in turn its ignoring the single host which is silent for more than 20 hours ( logs are coming from single host only for other index and sourcetype combinations from past 1 month onwards continuously) So this feeds the below query is discarding .

I tried where silent_hosts>=1 then in this case its displaying the old stopped host1 . This should not display as we are getting the logs to same index and sourcetype from host2

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So you want to trigger an alert if no host is sending events, correct?  If so then define an alert that triggers if this search returns zero results;

| tstats latest(_time) as latest_time WHERE (index = fig*) (NOT index IN (fig2,fig3,)) sourcetype="abc" by host index sourcetype 
---
If this reply helps you, Karma would be appreciated.
0 Karma

raj_mpl
Path Finder

1) At any point of time one host will be active and sending the logs out of the 2 hosts. so silent hours condition will becomes always false (silent hours>20) as we are receiving the logs so alert should not trigger 

2) if both hosts silents for more than 20 hours then condition becomes true then alert should trigger

 

Hope I am clear with requirement

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't understand the problem.  If a host is silent and not sending events to Splunk then there will be nothing for Splunk to show in the output.  Only reporting hosts will be displayed.

---
If this reply helps you, Karma would be appreciated.
0 Karma

raj_mpl
Path Finder

Hi @richgalloway , If host1 is silent then as per the above logic it will show host1 is silent as per the where condition . That I should not get because host2 will be sending the logs . So we want a logic to check if any of the host is sending the log and anyone is sending the log then alert should not trigger.
Consider Logs will come interchangeably from host1 and host2 for every 15 days

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...