Hi ,
We have two lists of CSV files. Each one has 500 hosts and for each we need to figure out among hosts which are reporting to Splunk or not. For that I created a lookup and I'm able to see some hosts are not reporting to Splunk since I need to combine the list and also check which hosts are not reporting to the deployment server. The reason to check the deployment server is that we need to install agents on hosts which do not have among two csv files. So actually I am looking for a search that shows these columns: host, IP age , Last time reporting Splunk and agent version, reporting deployment server or not. I have two queries. Please help me search to check the lists of the servers that are reporting Splunk and the deployment.
|metadata type=hosts index=* |lookup samplehostsrecentlist.csv host output PCI host os IP |search PCI=Y |eval age=(now()-recentTime)|search age >1|convert ctime(*Time)| append[ |inputlookup samplehostsrecentlist.csv ] | dedup host | fields host IP PCI os lastTime age | sort lastTime| convert timeformat="%Y-%m-%d %k:%M:%S" ctime(current_time) as current_time ctime(last_login_time) as last_login_time rmunit(age) as numSecs | eval stringSecs=tostring(numSecs,"duration")
| eval stringSecs=case(stringSecs="00:00:00", "0+0:0:0", 0=0, stringSecs)
| eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s") | fields - age current_time numSecs | rename stringSecs as age | sort - age
index=_internal source=*metrics.log* fwdType=uf
| stats values(version) as Version values(os) as OS values(fwdType) as ForwarderType values(build) as Build by hostname
| join type=outer hostname [|inputlookup sample1hostsrecentlist.csv | eval hostname=host | table hostname PCI]
| join type=outer hostname [|inputlookup sample2hostsrecentlist.csv | eval hostname=host | table hostname sox]
| where PCI="y" OR sox="y" | rename hostname as Host
... View more