Splunk Search

Restrict Hosts in This Particular Search

Builder

Hello to all,

I am using the search in the link below to find hosts that haven't logged in a certain amount of time:

http://splunk-base.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data

| metadata index=yourindex type=hosts | eval age = now()-lastTime | where (age > 3600 AND age < 7200) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

How do I restrict certain hosts from the search? There are hosts that we don't necessarily want to be alerted on, but I wasn't able to figure out how to do it with the metadata searches.

Any help would be great, and thanks!

Tags (3)
0 Karma
1 Solution

Legend

Try

| metadata index=yourindex type=hosts 
| search host!=nothishost* host!=notthishost2.*
| eval age = now()-lastTime 
| where (age > 3600 AND age < 7200) 
| sort age d | convert ctime(lastTime) | fields age,host,lastTime

If you have a lot of hosts to eliminate, there are other ways, but this is easiest.

View solution in original post

0 Karma

Legend

Try

| metadata index=yourindex type=hosts 
| search host!=nothishost* host!=notthishost2.*
| eval age = now()-lastTime 
| where (age > 3600 AND age < 7200) 
| sort age d | convert ctime(lastTime) | fields age,host,lastTime

If you have a lot of hosts to eliminate, there are other ways, but this is easiest.

View solution in original post

0 Karma

Builder

Perfect! Thanks!

0 Karma