Splunk Search

lookup table to find systems not reporting

hartfoml
Motivator

I have a look-up table of systems reporting to splunk from one of my users. He would like to know when one of the systems on the list is not reporting to splunk in the last 24 hours.

Any suggestions?

Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Assuming your table has a field called host, something roughly like this:

| inputlookup your_host_lookup | join type=left host [metadata type=hosts] | fillnull recentTime | where recentTime < relative_time(now(), "-24h")

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Assuming your table has a field called host, something roughly like this:

| inputlookup your_host_lookup | join type=left host [metadata type=hosts] | fillnull recentTime | where recentTime < relative_time(now(), "-24h")

martin_mueller
SplunkTrust
SplunkTrust

That's a fully paid-for invitation, right? :slightly_smiling_face:

hartfoml
Motivator

I had to add the data I wanted to display on the end like this | inputlookup MyHostList.csv | join type=left host [metadata type=hosts] | fillnull recentTime | where recentTime < relative_time(now(), "-24h") | eval Comment="This systems has not reported to CLS in the last 24 Hours"| table host Comment

Thanks Martin for the help. Hope to meet you at the Users conference 2014

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This will list hosts from your lookup table that either don't appear in the output of metadata or that appear but have a recentTime older than 24 hours ago.

fillnull replaces null values with zero for the recentTime field, allowing the comparison with "24 hours ago" to work properly for hosts that are in the lookup table but are not listed by metadata.

0 Karma

hartfoml
Motivator

Thanks Martin, but will this find the host that is reporting or the host that is not reporting. I'm unsure about what the "fillnull" does?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...