Splunk Search
Highlighted

Search where hosts have an unrelated sourcetype

Engager

I was refining an existing search/dashboard panel when I discovered that my hosts do not reliably follow a pattern. What these hosts do have in common is the presence of a sourcetype unrelated to the data in the search.

Existing Search:

eventtype=winperformance host=myhostpattern object=logicaldisk .....

This search works nicely, but excludes hosts which do not follow the pattern. I would like to replace host=myhostpattern with something that will search for:

sourcetype=mysource |dedup host 

and use this to create the host list to use.

I have considered using an inputlookup/outputlookup, but thought there would be a better option.

0 Karma
Highlighted

Re: Search where hosts have an unrelated sourcetype

SplunkTrust
SplunkTrust

Subsearch is your friend here (unless the number of hosts is huge):

eventtype=winperformance object=logicaldisk
[search sourcetype=mysource | dedup host | table host]

More about subsearches: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch

View solution in original post

0 Karma
Highlighted

Re: Search where hosts have an unrelated sourcetype

Engager

Thanks. I didn't know it would add the host list like this as a criteria.

0 Karma
Highlighted

Re: Search where hosts have an unrelated sourcetype

Legend

How about this

eventtype=winperformance host=* object=logicaldisk 
0 Karma
Highlighted

Re: Search where hosts have an unrelated sourcetype

SplunkTrust
SplunkTrust

A much better performing option could be this (again it's a subsearch so more than 10,000 records will get truncated)

 eventtype=winperformance [| tstats count WHERE source=mysource by host | table host ] object=logicaldisk .....
0 Karma
Highlighted

Re: Search where hosts have an unrelated sourcetype

Engager

This looked promising but unfortunately I am still on version 5.x and requires a populated tsidx first. I will definitely revisit this once I updgrade to 6.x.

0 Karma