Deployment Architecture

Get list of servers not sending logs


i want to get list of servers from the csv which are not sending any logs to splunk like for past 48 hours with time when it stopped ingesting. i am trying below query but no success.

| metadata type=hosts index=*
| where lastTime < relative_time(now(),"-24h") AND totalCount > 0
| convert ctime(lastTime) as "Time when stopped" ctime(firstTime) as "Time when Started"
| table host "Time when stopped"
| search
[| inputlookup xyz.csv |fields hostname] | table host "Time when stopped"

0 Karma


Please refer below to get list of host which are not sending logs without using a lookup.

0 Karma


Please try below query

| tstats latest(_time) as l earliest(_time) as e where index=*
[| inputlookup x.csv
| rename hostname as host
| table host] by host
| eval diff=now()-l
| eval diff_in_days = round(diff/86400,2)
| convert ctime(l) as lasttime ctime(e) as first
| where diff_in_days>1

0 Karma


shows error in the query

0 Karma


@walia_sapient Could you please give the error message ?

0 Karma


okay there was a extra dot in the query mistakenly , errors removed but the query is not returning any results though there are few servers from csv which are not sending logs

0 Karma


For me it did work, however there is otherway

| tstats latest(_time) as l earliest(_time) as e where index=* host IN (x,y,z,a,.......) by host | eval diff=now()-l | eval diff_in_days = round(diff/86400,2) | convert ctime(l) as lasttime ctime(e) as first | where diff_in_days>1

place the host names from your CSV the above query for host IN by separating them with ,

0 Karma

Revered Legend

Try this

List the hosts who have not sent any data in last 48 hours.

| tstats count WHERE index=* earliest=-48h [| inputlookup xyz.csv |table hostname | rename hostname as host ] by host 
| append  [| inputlookup xyz.csv |table hostname | rename hostname as host | eval count=0 ] 
| stats max(count) as count by host | where count=0 
0 Karma


It didn't work giving false results

0 Karma



If your are just looking for sever list, below query will do the work, (select time range for 48 hours)

| metadata type=hosts index=*
| lookup xyz.csv hostname as host OUTPUTNEW other_field as other_field
| where isnull(other_field)
| table host

other_field - select any field from the lookup

happy splunking .....!!!!

0 Karma
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...