Solved: Search _internal for metrics from non-indexer inst...

eden881 · ‎09-22-2019

Hi,

I need to perform a search on forwarder data from the _internal index, but I need to exclude my indexers from that search.
I know I can get the indexers list by many ways, for example:

index=_internal source="*metrics.log" group=instance instance_roles="*indexer*"
| table host
| dedup host

But how can I use the list to dynamically exclude the hosts from my other _internal search?

MuS · ‎09-22-2019

Hi eden881,

you can exclude the indexers with this SPL example:

index=_internal NOT
    [| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
    | table host
    | format ]

The tstats sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... ) that will be excluded from the main search.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎09-22-2019

Hi eden881,

you can exclude the indexers with this SPL example:

index=_internal NOT
    [| tstats count WHERE index=_internal sourcetype=splunkd TERM(metrics) TERM(instance) TERM(indexer) by host
    | table host
    | format ]

The tstats sub search will return a list like ( ( host=1 ) OR ( host=2 ) ... ) that will be excluded from the main search.

Hope this helps ...

cheers, MuS

eden881 · ‎11-13-2019

Thanks! It works well.

Search _internal for metrics from non-indexer instances

Admin Your Splunk Cloud, Your Way

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

New Customer Testimonials