Hi,
I need your help in order to get the difference between two searches. I have a task running once a day on all my servers and if the task is succeed it generates an event log that is sent to Splunk.
I need to know which servers didn’t generate that event. At this moment the result should be 1 server that is offline. But I don't get any results. But each search returns the list of my servers
- 1st search is a lookup table (static) with all my servers:
| inputlookup ctx_arc_hardware.csv
| where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT")
| table Hostname
| rename Hostname as ComputerName
- 2nd search (aleatory) is the list of servers that has a specific event generated once a day from the eventvwr index:
index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-8h
| table ComputerName
After google it, I found these 2 ways, but I'm not getting the result I want:
| set diff
[search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-8h
| table ComputerName]
[search inputlookup ctx_arc_hardware.csv
| where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT")
| table Hostname
|rename Hostname as ComputerName]
And also tried:
| inputlookup ctx_arc_hardware.csv
| where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT")
| table Hostname
| rename Hostname as ComputerName
Where NOT [search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-26m
| table ComputerName,]
Can you point me in the right direction?
| inputlookup ctx_arc_hardware.csv
| where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT")
| table Hostname
| rename Hostname as ComputerName
| dedup ComputerName
| eval from=1
| append [search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-26m
| dedup ComputerName
| table ComputerName
| eval from=2]
| stats sum(from) as from by ComputerName
from will equal 1 if it is only in the lookup, 2 if only in the index and 3 if in both lookup and index
Hi,
I had to make some changes because of the case sensitive, but it's the same search:
by adding the condition where from=1 now Ican see only the server that I need!
| inputlookup ctx_arc_hardware.csv
| where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT")
| eval ComputerName=lower(Hostname)
| table ComputerName
| dedup ComputerName
| eval from=1
| append [search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-16h
| eval ComputerName=lower(substr(ComputerName, 1, 10))
| dedup ComputerName
| table ComputerName
| eval from=2]
| stats sum(from) as from by ComputerName | where from=1 | table ComputerName
Many thanks ITWhisperer
| inputlookup ctx_arc_hardware.csv
| where HW_State="Active" AND (Group="XenApp APPS" OR Group="XenApp RBT")
| table Hostname
| rename Hostname as ComputerName
| dedup ComputerName
| eval from=1
| append [search index=eventviewer sourcetype=ctxevent EventCode=200 earliest=-26m
| dedup ComputerName
| table ComputerName
| eval from=2]
| stats sum(from) as from by ComputerName
from will equal 1 if it is only in the lookup, 2 if only in the index and 3 if in both lookup and index