Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Search for disappeared and new hosts

chris
Motivator
‎03-17-2010 09:10 AM

Hi

I would like to have a way to find out whether hosts have stopped logging to our central log infrastructure or if new hosts have appeared.

I tried using the "set diff" command with two identical searches with different timeranges like so:

| set diff [search index=* * earliest=03/16/2010:08:30:0 latest=03/16/2010:08:35:0 | dedup host | fields host ] [search index=* * earliest=03/17/2010:08:30:0 latest=03/17/2010:08:35:0 | dedup host | fields host ]

I think the diff should list the hosts that I am looking for, but I seem to get the union of the 2 searches as the result. (The individual searches return 761 and 773 results, the search listed above returns 1534 results)

If intersect is used instead of diff in the above query it returns 0 results. If union is used in the query returns 1534 results.

What is wrong in the query or is there another (better) way to do this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-17-2010 03:21 PM

First of all, if you're just looking for hosts, it's much more efficient to get the information from a metadata search. This is extremely costly:

index=*

while

| metadata type=hosts index=* | search firstTime > blah lastTime < xxx | fields host

is about as cheap as it gets, where blah and xxx are epoch times (you can use ...| convert mktime(blah) timeformat="%m/%d/%Y:%H:%M:%S"... if you like to enter them the other way). This will also probably solve your set problem, because I think you might need a | fields - _* to get rid of hidden fields when you try to generate the host list from event data. metadata doesn't have hidden fields, so not an issue there.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-17-2010 03:21 PM

First of all, if you're just looking for hosts, it's much more efficient to get the information from a metadata search. This is extremely costly:

index=*

while

| metadata type=hosts index=* | search firstTime > blah lastTime < xxx | fields host

is about as cheap as it gets, where blah and xxx are epoch times (you can use ...| convert mktime(blah) timeformat="%m/%d/%Y:%H:%M:%S"... if you like to enter them the other way). This will also probably solve your set problem, because I think you might need a | fields - _* to get rid of hidden fields when you try to generate the host list from event data. metadata doesn't have hidden fields, so not an issue there.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-19-2010 02:02 PM

I'm not sure if the need to use | fields - _* is a bug or not. Some commands will ignore hidden fields after | fields - *, others (like set) apparently do not. This might be intentional but I don't know.

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎03-19-2010 09:36 AM

You were right about the fields - _* and the metadata search is way faster.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...