Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL querry help

srujana96
Explorer
‎01-10-2021 11:24 PM

I have a lookup table X which contains list of Servers, my indexer(myserveridx) contains list of server which are up and running. i want to write a querry to get the name of server which are present in lookup table but not in index. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-10-2021 11:36 PM

Hi @srujana96,

assuming that the host field in lookup is named "host", you have to run a search like this:

| metasearch index=myserveridx
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup X | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total
| where total=0

In this way you can create an alert to periodically run (e.g. every 5 minutes) to check your perimeter.

You can use the same search (replacing the last row) to display a status of your infrastruture:

| metasearch index=myserveridx
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup X | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total
| eval status=if(total=0,"Down","Up")
| table host status

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-10-2021 11:36 PM

Hi @srujana96,

assuming that the host field in lookup is named "host", you have to run a search like this:

| metasearch index=myserveridx
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup X | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total
| where total=0

In this way you can create an alert to periodically run (e.g. every 5 minutes) to check your perimeter.

You can use the same search (replacing the last row) to display a status of your infrastruture:

| metasearch index=myserveridx
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup X | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total
| eval status=if(total=0,"Down","Up")
| table host status

 Ciao.

Giuseppe

Reply
Solved! Jump to solution

srujana96
Explorer
‎01-11-2021 12:41 AM

Hi @gcusello 

Thanks for the reply.
the querry which you have sent is giving me the overall count.
but my expectation is to get the count of the Server which are in lookup table but not in my index
for example i have pasted the below excel sheet for your reference in that i want the count server that are not patched i have highlighted for your reference

In this below excel sheet the servers which are not patched are 1,3,5,7 and 9 so my count is 5.

LookupIndexStatus server patchedSuccessFailureserver not patched
12Success 5325
24Success     
36Success     
48Failure     
510Failure     
6       
7       
8       
9       
10       
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-11-2021 12:52 AM

Hi @srujana96,

my first search gives you the list of servers that are in lookup but not in the search results.

You have to adapt the logic of this approach to your needs!

in other words; you have to define a search to find all the servers that match a condition (e.g. Status=Success) and then compare results with the lookup using my method.

So if you want to check which of your servers has Status=Success, you can run a search like this:

index=myserveridx Status=Success
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup X | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total
| where total=0

In this way you have all the servers from your list that haven't Status=Success.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...