Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create timechart of events from servers that appeared last week, but not the last 24 hours?

yanivamram
Path Finder
‎08-14-2014 01:11 PM

Hi,
I have hundreds of servers that report to Splunk.
I would like to create a timechart that will include only events from servers that didn't report in last 24 hours (but did report in the past week).

What is the best way to do that?

Thanks,

Yaniv

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 02:05 PM

You could do this:

| tstats count where index=yourindex AND
    [ tstats latest(_time) as latest where index=yourindex by host
    | where latest < relative_time(now(), "-24h") | fields host ]
  by _time host | timechart count by host

Run that over the last 7 days.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 02:05 PM

You could do this:

| tstats count where index=yourindex AND
    [ tstats latest(_time) as latest where index=yourindex by host
    | where latest < relative_time(now(), "-24h") | fields host ]
  by _time host | timechart count by host

Run that over the last 7 days.

Reply
Solved! Jump to solution

yanivamram
Path Finder
‎08-17-2014 12:12 AM

Thanks Martin,
It was very helpful 🙂

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-14-2014 02:47 PM

Sure. Same strategy, except that - unless the field is indexed - you can't speed things up with tstats so it'd look like this:

index=yourindex sourcetype=yoursourcetype
  [ search index=yourindex sourcetype=yoursourcetype | stats latest(_time) as latest by ServerName | where latest < relative_time(now(), "-24h") | fields ServerName ]
| timechart count by ServerName
Reply
Solved! Jump to solution

yanivamram
Path Finder
‎08-14-2014 02:34 PM

Thanks for the quick response.
I probably didn't explain myself properly 😞
I've a log collector that write a single log file from many servers, and this log reported to Splunk.
So the Server that I'm looking for is part of the event reported to Splunk(it is NOT the 'host' field).
The log will look like:
ServerName=

is that doable to search for all Servers that appeared in last week but doesn't appear in last 24H?

Thanks again,
Yaniv

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...