Splunk Search

How to verify data for a specific sourcetype was indexed yesterday for a list of hosts from a master list?

napomokoetle
Communicator

Hi Everyone,

Every night just after midnight, I need to verify that data for a specific sourcetype has been indexed during the course of yesterday for a list of hosts that is provided as a master list. This is so that admins can take remedial measures for those hosts that for some reason stopped sending data from the sourcetype before too much data is lost.

The master list consists of two hundred hosts.

Please help with how to structure the search for this type of problem. Thanks in advance for your kind help.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Here is what you can do

1) Save your master host list as lookup table in Splunk, say host_master.csv containing field host. See this http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addfieldsfromexternaldatasources

2) Create an alert search with following specifications http://www.splunk.com/view/SP-CAAAGYG
Alert search:

| inputlookup host_master.csv | table host | eval From="lookup" | append [ | tstats count WHERE index=YourIndex(es) AND sourcetype=YourSourceType by host | table host | eval From="Yesterday" ] | stats values(From) as From by host | where mvcount(From)=1 AND From="lookup"

Time Range: -1d@d to @d (Start time/ Finish time)
ALert condition: When number of rows greater than 0

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here is what you can do

1) Save your master host list as lookup table in Splunk, say host_master.csv containing field host. See this http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addfieldsfromexternaldatasources

2) Create an alert search with following specifications http://www.splunk.com/view/SP-CAAAGYG
Alert search:

| inputlookup host_master.csv | table host | eval From="lookup" | append [ | tstats count WHERE index=YourIndex(es) AND sourcetype=YourSourceType by host | table host | eval From="Yesterday" ] | stats values(From) as From by host | where mvcount(From)=1 AND From="lookup"

Time Range: -1d@d to @d (Start time/ Finish time)
ALert condition: When number of rows greater than 0

0 Karma

napomokoetle
Communicator

Hi somesoni2,

Thanks for your swift response. when I execute the first part of the search

| lookup host_master.csv | table host

I get a message as follows...

Error in 'lookup' command: Must specify one or more lookup fields.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Ohh wrong command.. Try the updated answer...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...