Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Network Toolkit: How to ping hosts from a search

rohitmaheshwari
Explorer
‎08-14-2019 01:25 PM

I have a search that gives me a column with hostnames

host
A
B
C

I am trying to use the network toolkit application from Splunk base to ping these hosts to see if they are still alive.

for example
if I have search such as this:

index=abc | stats values(host) as host | mvexpand host

How can I add another column using the |ping command or any other command to see if I am able to receive a status on these servers?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-15-2019 12:45 AM

hi @rohitmaheshwari
you need to use the map command, The ping command in this app which gives info like dest,sent , packet loss etc are all based on the host field , which is a ip address.
Try this in your network toolkit app

index=abc | stats values(host) as host | mvexpand host | map search="| ping host=$host$  count=1 |  eval dest=if(isnull(dest),host,dest) | fields dest sent received packet_loss min_ping avg_ping max_ping jitter | eval row="Value" | transpose column_name=Data header_field=row"

NOTE : The command /app itself is a bit slow, strongly suggest to limit initial host set to only 3 ips at first
See the output and then decide how to proceed further, all I am doing above is passing each host value from your index into the ping command, it works like a for loop.

View solution in original post

Reply
Solved! Jump to solution

lamelendrez
Loves-to-Learn Lots
‎01-31-2023 02:03 PM

How could I do a incorporate an inputlookup to the search to change the IP address to a device name?

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-15-2019 12:45 AM

hi @rohitmaheshwari
you need to use the map command, The ping command in this app which gives info like dest,sent , packet loss etc are all based on the host field , which is a ip address.
Try this in your network toolkit app

index=abc | stats values(host) as host | mvexpand host | map search="| ping host=$host$  count=1 |  eval dest=if(isnull(dest),host,dest) | fields dest sent received packet_loss min_ping avg_ping max_ping jitter | eval row="Value" | transpose column_name=Data header_field=row"

NOTE : The command /app itself is a bit slow, strongly suggest to limit initial host set to only 3 ips at first
See the output and then decide how to proceed further, all I am doing above is passing each host value from your index into the ping command, it works like a for loop.

Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-19-2019 07:58 AM

hi @rohitmaheshwari
Please try out and accept the answer if this works for you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...