Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Validating if 100 nodes are on boarded in splunk indexes or not. If not ?

jcorcoran508
Path Finder
‎10-08-2021 04:45 AM

I have this task were I am successful in getting result sets from nodes that are present in my splunk instance.

How ever I can't find a way to announce in the spl syntax if the Name of the Node that doesn't exist with a Yes or no value in another field

i.e.

Node            present

Appserver   No

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-08-2021 04:56 AM

Hi @jcorcoran508,

I think that Node is the hostname or a field of each system that's sending logs.

In this way you could create a lookup (called e.g. perimeter.csv) containing all the Nodes to monitor (at least one field called e.g. Node or host, in the following example Node), then you have to run a search like this:

index=your_index
| eval Node=lower(Node)
| stats count BY Node
| append [ | inputlookup perimeter.csv | eval Node=lower(Node), count=0, | fields Node count ]
| stats sum(count) AS total BY Node
| eval present=if(total=0,"No","Yes")
| table Node present

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-08-2021 04:56 AM

Hi @jcorcoran508,

I think that Node is the hostname or a field of each system that's sending logs.

In this way you could create a lookup (called e.g. perimeter.csv) containing all the Nodes to monitor (at least one field called e.g. Node or host, in the following example Node), then you have to run a search like this:

index=your_index
| eval Node=lower(Node)
| stats count BY Node
| append [ | inputlookup perimeter.csv | eval Node=lower(Node), count=0, | fields Node count ]
| stats sum(count) AS total BY Node
| eval present=if(total=0,"No","Yes")
| table Node present

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-13-2021 11:13 PM

Hi @jcorcoran508,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...