Splunk Search

locating dead hosts

rbellini
Explorer

I am trying to get a report of all hosts that have not reported any events in the last 2 hours. I am using:

| metadata type=hosts | search totalCount >0 AND lastTime < now-2h

It only reports hosts that have a totalCount >0 yet it ignores the lastTime qualifier.

Any suggestions?

Thank you!

Tags (1)
0 Karma

jonuwz
Influencer
| metadata type=hosts totalCount >0 | where lastTime < relative_time(now(),"-2h")

now() is only available in eval and where clauses.

You could not use relative_time() and just instead use now()-(60*60*2)

rbellini
Explorer

This also worked:

| metadata type=hosts | where lastTime <(now()-7200) AND totalCount >0

0 Karma

rbellini
Explorer

This almost worked! I made one minor change:

| metadata type=hosts | where lastTime < relative_time(now(),"-2h") AND totalCount >0

Thank you!

0 Karma

yannK
Splunk Employee
Splunk Employee

My method is to save a list of the hosts with a scheduled lookup, that updated every week
then use it in a join to compare to the list of the hosts who sent data in the last hour.

generate the lookup with last week hosts
earliest=-7d@d latest=-14d@d, scheduled to run every week

* | stats count AS previouscount by host | outputlookup host_previousweek.csv

scheduled test to compare to current hosts. (like last 2 hours)

| inputlookup host_previousweek.csv | JOIN type=outer host
[ search * | stats count AS currentcount by host ]
| eval check_test=if(isnull(currentcount),"missing",if(isnull(previouscount),"new","present"))
| WHERE check_test="missing"

And alert on missing.
If you need to update the host lookup, run it manually

rbellini
Explorer

This presents a totall new concept on locating missing hosts!

Thanks!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...