Re: How find a service that is not running on a se...

Kksplunker · ‎04-19-2021

gcusello · ‎04-19-2021

try something like this:

index="windows" State="*" service="CB" 
| eval host=upper(host)
| stats count BY host
| append [ | inputlookup itsi_entities | rename identifier.values as host | eval host=upper(host), count=0 | fields host count ] 
| stats sum(count) AS total BY host
| where total=0
| table total

Ciao.

Giuseppe

Kksplunker · ‎04-20-2021

.

gcusello · ‎04-20-2021

Hi @Kksplunker,

ok, let me understand:

you have some servers with service="CB" and some others without this service,
you want the list of all servers without this service?

it's easier, did you tried this?

index="windows" State="*" NOT service="CB"
| ...

Ciao.

Giuseppe

Kksplunker · ‎04-20-2021

.

gcusello · ‎04-20-2021

Hi @Kksplunker,

sorry but I don't understand your need:

if you want the servers, from your lookup, without the service CB, you can use my first answer,
if you want the servers, in all your infrastructure, without the service CB, you can use my second answer;

what's your need?

In my opinion you need the first, in which there are the list of all servers with service=CB active that are sending logs and there's the match with the list of all your server from the lookup:

total=0 means that you haven't servers with service=CB that are sending logs,
total>0 means that you have servers with service=CB that are sending logs,

if in your lookup you have more than Windows servers, you have to filter the lookup in the append.

Ciao.

Giuseppe

.

chart

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!