Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Search _internal for metrics from non-indexer instances

eden881
Path Finder
โ€Ž09-22-2019 10:52 AM

Hi,

I need to perform a search on forwarder data from the _internal index, but I need to exclude my indexers from that search.
I know I can get the indexers list by many ways, for example:

index=_internal source="*metrics.log" group=instance instance_roles="*indexer*"
| table host
| dedup host

But how can I use the list to dynamically exclude the hosts from my other _internal search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
โ€Ž09-22-2019 02:31 PM

Hi eden881,

you can exclude the indexers with this SPL example:

index=_internal NOT
    [| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
    | table host
    | format ]

The tstats sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... ) that will be excluded from the main search.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
โ€Ž09-22-2019 02:31 PM

Hi eden881,

you can exclude the indexers with this SPL example:

index=_internal NOT
    [| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
    | table host
    | format ]

The tstats sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... ) that will be excluded from the main search.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

eden881
Path Finder
โ€Ž11-13-2019 02:45 AM

Thanks! It works well.

0 Karma
Reply