Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search for hosts that are not forwarding data of a specific source or sourcetype?

cruschke_bde
Explorer
‎11-17-2014 05:42 AM

I am running a lot of Splunkforwarders and use source=system sourcetype=foo for some custom Solaris OS metrics. All the nodes should have this source/sourcetype definition but I can see there is a gap between the total number of hosts and the number that send data as source=system sourcetype=foo. Therefore I would like to find all the nodes that are not sending data belonging to this source/sourcetype.

As far as I can see Deployment Monitor does not help here as it helps only to find hosts that suddenly stops reporting things, and I am pretty sure the nodes never sent sourcetype=foo.

The search should do a diff of the list of all the nodes (host=*) and a list of hosts returned by "source=system sourcetype=foo", tried various things but I am currently out of ideas.

Using dsh (or any other distributed SSH) and grep would help or course, but I am curious if there is any way doing it in SPL.

Any help appriciated.

Cheers Christian

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-17-2014 06:16 AM

Hi cruschke_bde,

I'm no fan of using join or subsearch but I think this is one of the use cases where you have to use it. Try something like this:

source=system sourcetype=foo | stats count by sourcetype, host | search NOT [ search host=* | dedup host | table host ]

this should return a list of those hosts not sending events with sourcetype=foo

Update:

Assuming there are some other sourcetype available per host, then there is a way to get this without a subsearch ... try this:

source=system | stats count(eval(sourcetype="foo")) AS c_foo count(eval(sourcetype!="foo")) AS c_others by host | search c_foo=0 AND c_others>=0 | dedup host | table host

hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-17-2014 06:16 AM

Hi cruschke_bde,

I'm no fan of using join or subsearch but I think this is one of the use cases where you have to use it. Try something like this:

source=system sourcetype=foo | stats count by sourcetype, host | search NOT [ search host=* | dedup host | table host ]

this should return a list of those hosts not sending events with sourcetype=foo

Update:

Assuming there are some other sourcetype available per host, then there is a way to get this without a subsearch ... try this:

source=system | stats count(eval(sourcetype="foo")) AS c_foo count(eval(sourcetype!="foo")) AS c_others by host | search c_foo=0 AND c_others>=0 | dedup host | table host

hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

cruschke_bde
Explorer
‎11-18-2014 12:02 AM

Hi MuS,

thanks for your help, I was trying various things with subsearches but they didn't work. Your 2nd proposal is exactly what I was looking for - it works perfect!

Thanks again.

Cheers Christian

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-18-2014 12:14 AM

you're welcome 😉 please mark this as answered - thx

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-17-2014 06:37 AM

update ping ....

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...