Differences between search results

srinathd · ‎11-07-2013

Hello,
I have a lookup table called host-list which has a list of all the hosts present in a network. I want to have a daily search that finds the list of hosts from where the log files are not generated. That is, I want to compare the list of all hosts present in host-list with the list of hosts from the log files and generate a table which shows all the "unresponsive" hosts, as in, the hosts which do not generate log files.

I tried using map, diff, NOT and various other options but none seem to work. Any help?

Sample search I used which didn't work:
|inputlookup host-list | table host | where host NOT [search index=my_index earliest=-d@d latest=@d | fields hosts]

somesoni2 · ‎11-07-2013

This may perform faster

|inputlookup host-list | table host  | join type=outer host [search index=my_index earliest=-d@d latest=@d | stats count by hosts | rename hosts as host | fields - count| eval status="Responsive"]|eval status=COALESCE(status,"Unresponsive") | where status="Unresponsive"

The inner search will fetch distinct host from which data is coming and they add a field status="Responsive". You join this with your lookup data by host and with outer join, un-matched hosts will have status=NULL that we are transforming as "Unresponsive".

martin_mueller · ‎11-07-2013

Try something like this:

| inputlookup host-list | search NOT [search index=myindex earliest=-d@d latest=@d | fields host | dedup host]

It'll grab the list of unique host values from yesterday, build a huge (NOT ((host=A) OR (host=B) OR ...)) filter, and apply that to the results of the inputlookup.

Differences between search results

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life