Could you please anyone help me to write a query to find the missing deployment client?
There are many forwarders contacting deployment servers and they are sending logs to different indexes. So I guessed anyhow all forwarders are going to send internal logs and taking internal index in my query. But for some hosts splunk internal logs are missing but they are sending other logs to other indexes. If I use all the indexes in my query using OR, it took much time. Please help me in this.
And we have received internal logs like below for the host which are not sending internal logs sometimes
08-06-2014 09:55:46.224 +0100 INFO WatchedFile - Will begin reading at offset=24999957 for file='/opt/splunkforwarder/var/log/splunk/metrics.log.1'.
08-06-2014 09:55:46.215 +0100 INFO WatchedFile - Will begin reading at offset=0 for file='/opt/splunkforwarder/var/log/splunk/metrics.log'.
08-08-2014 03:10:01.674 +0100 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/var/log/syslog'.
Search Query :
|metasearch index=_internal NOT("tag::sourcetype"=syslog_sourcetype OR "tag::sourcetype"=xfbsourcetype)| stats count by host | eval type="current" | table host, type | append [|inputlookup univfwdlist.csv | eval type="existing"] | stats values(type) as type by host | where mvcount(type) =1 | eval reason=if(type="current","New Host","Missing Host") | table host reason | search reason="Missing Host"
Is there any alternate query to find the missing deployment client? If so could you please expain in detail.
Thanks in advance
