Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search _internal for metrics from non-indexer instances

eden881
Path Finder
‎09-22-2019 10:52 AM

Hi,

I need to perform a search on forwarder data from the _internal index, but I need to exclude my indexers from that search.
I know I can get the indexers list by many ways, for example:

index=_internal source="*metrics.log" group=instance instance_roles="*indexer*"
| table host
| dedup host

But how can I use the list to dynamically exclude the hosts from my other _internal search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎09-22-2019 02:31 PM

Hi eden881,

you can exclude the indexers with this SPL example:

index=_internal NOT
    [| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
    | table host
    | format ]

The tstats sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... ) that will be excluded from the main search.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎09-22-2019 02:31 PM

Hi eden881,

you can exclude the indexers with this SPL example:

index=_internal NOT
    [| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
    | table host
    | format ]

The tstats sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... ) that will be excluded from the main search.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

eden881
Path Finder
‎11-13-2019 02:45 AM

Thanks! It works well.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...