Splunk Search

Identify missing servers

Muthu_Vinith
Path Finder

Hi, 

I have two datasets for example –

1.Index=abc host=def_inven, consider as Dataset A (inventory with 100 servers) and

2.lookup = something, consider as Dataset B (monitored in Splunk with 80 servers).

How can I identify the 20 servers missing ? 

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use a subsearch to exclude the lookup file from the index results.

index=abc host=def_inven NOT [ | inputlookup something | fields <a field from the lookup that identifies a server> | rename <field> as <some field name in Dataset A> ]
---
If this reply helps you, Karma would be appreciated.
0 Karma

Muthu_Vinith
Path Finder

I tried this method, but unfortunately i couldn't get exact results. It's showing only index data. Is there any different method instead of append can we use join command? Can you suggest different logic 
@richgalloway 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is the point where you show the search(es) you ran, their results, and tell how those results miss expectations.  Does the lookup file contain data that can be used to search the index?  If not, can it be modified or can the search modify a lookup field into something that's in the index?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Muthu_Vinith
Path Finder

No, in lookup file there are few servers which are monitored, but also in index  some servers which is monitored but I need to find which is not monitored.

Is it possible to try something like this for example:

index=abc host=def_inven

•if it is in inventory flag it 

flag inven= something 

join 

lookup <>
flag  splunk=something

so we can use |stats values by flag
Whether this logic is correct? If it is ok give a exact query or suggest me something different query  

@richgalloway  

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The first query I gave you should have worked, but the logic you just suggested should work, too.  This query marks servers from the index as "indexed" and those from the lookup file as "lookup".  After combining the results by server name, it keeps only the servers found in the index.

index=abc host=def_inven
| eval inven="indexed"
| append [ | inputlookup mylookup.csv
  | eval inven="lookup"
]
| stats values(*) as * by server
| where (mvcount(inven)=1 AND isnotnull(mvfind(inven,"indexed")))

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

Muthu_Vinith
Path Finder

It Works, Thank You @richgalloway 

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...