Splunk Search

Search where hosts have an unrelated sourcetype

tk15
Engager

I was refining an existing search/dashboard panel when I discovered that my hosts do not reliably follow a pattern. What these hosts do have in common is the presence of a sourcetype unrelated to the data in the search.

Existing Search:

eventtype=winperformance host=myhostpattern object=logicaldisk .....

This search works nicely, but excludes hosts which do not follow the pattern. I would like to replace host=myhostpattern with something that will search for:

sourcetype=mysource |dedup host 

and use this to create the host list to use.

I have considered using an inputlookup/outputlookup, but thought there would be a better option.

0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Subsearch is your friend here (unless the number of hosts is huge):

eventtype=winperformance object=logicaldisk
[search sourcetype=mysource | dedup host | table host]

More about subsearches: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

A much better performing option could be this (again it's a subsearch so more than 10,000 records will get truncated)

 eventtype=winperformance [| tstats count WHERE source=mysource by host | table host ] object=logicaldisk .....
0 Karma

tk15
Engager

This looked promising but unfortunately I am still on version 5.x and requires a populated tsidx first. I will definitely revisit this once I updgrade to 6.x.

0 Karma

sundareshr
Legend

How about this

eventtype=winperformance host=* object=logicaldisk 
0 Karma

javiergn
SplunkTrust
SplunkTrust

Subsearch is your friend here (unless the number of hosts is huge):

eventtype=winperformance object=logicaldisk
[search sourcetype=mysource | dedup host | table host]

More about subsearches: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch

0 Karma

tk15
Engager

Thanks. I didn't know it would add the host list like this as a criteria.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...