×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
CyberSamurai
Engager
Member since: ‎07-07-2025
‎07-09-2025
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-07-2025
Activity Feed
View All

Re: Sourcetype Missing for Tag Member

by in Splunk Search
‎07-09-2025 08:49 AM
‎07-09-2025 08:49 AM
@gcusello    It turns out there was different casing between the sourctype name in the lookup file and in Splunk. That was causing the duplicates in the search you gave me. The final version of the query that worked exactly as desired was this (once I made the sourctype match exactly in the lookup file and in Splunk). index=sw tag=MemberServers sourcetype="windows PFirewall Log" | stats count BY sourcetype host | eval host=lower(host) | append [ | inputlookup MemberServers.csv | eval count=0 | fields sourcetype host count] | stats sum(count) AS total BY sourcetype host | where total=0 Thank you for your help! ... View more

Re: Sourcetype Missing for Tag Member

by in Splunk Search
‎07-08-2025 03:09 PM
‎07-08-2025 03:09 PM
It looks like I closed this thread early because I've hit an issue. I decided to go with the lookup table afterall. The query I marked as correct, does work, but it creates duplicate hosts which throws off the results. At first I thought it was just because the host name in Splunk had different casing than the MemberServers.csv file. I tweaked the query to lower the host names (all the names in MemberServers.csv are lower case) and removed the "| where total=0" line. That showed me there are 2 hosts for every host returned by the Splunk query. There is one from the original query and the one appended by the .csv file. For some reason the stats sum(count) command doesn't see them as identical hosts but two different ones even though their names are exactly the same (including case). This is the query which tells me there are now duplicates, one with count 0 (presumably added by the append command) and one a count greater than 0 (presumably added by the Splunk query). index=sw tag=MemberServers sourcetype="windows PFirewall Log" | eval host=lower(host) | stats count BY sourcetype host | append [ | inputlookup MemberServers.csv | eval count=0 | fields sourcetype host count] | stats sum(count) AS total BY sourcetype host I tried replacing append with a join command but I ran into problems with that too. Any help would be appreciated. ... View more

Re: Sourcetype Missing for Tag Member

by in Splunk Search
‎07-08-2025 11:45 AM
‎07-08-2025 11:45 AM
Each of these answers are excellent. Thank you all for your input. For now, I'm going to go with the "was working within the last 30 days" search as that's what I need. Thanks! ... View more

Re: Sourcetype Missing for Tag Member

by in Splunk Search
‎07-07-2025 03:52 PM
‎07-07-2025 03:52 PM
Thank you for the reply. I've used lookup tables a little before and can probably figure out that piece of it. Once I have that comparison list working, how would I say where events for that sourcetype is zero? I've tried something like this without success: ... | stats count by sourcetype,host | where sourcetype="windows PFirewall Log" | where "count">="1" ... View more

Sourcetype Missing for Tag Member

by in Splunk Search
‎07-07-2025 01:30 PM
‎07-07-2025 01:30 PM
Hello Splunk Community. I'd like to use a query to find a host which is a member of a tag group and has 0 events for a specific sourcetype. Here's the search that gets me most of the way there: index=sw tag=MemberServers sourcetype="windows PFirewall Log" | stats count by sourcetype,host But I'd like to return only hosts which have 0 events (aka. are missing firewall data). How can I do this? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-09-2025 08:46 AM