How to generate a search that will let me know if ...

sravankaripe · ‎11-28-2016

how can i know that a particular host is sending data or not? and how can i know that the Splunk agent is installed in particular host or not? please help me with search query and what we have to observer from the search result.

gcusello · ‎11-29-2016

Hi sravankaripe,
If you want to know host that don't send log the solution from @sundareshr is perfect.
If you want to have a table with all the host and the indication of which are sending and which aren't sending you could use something like this:
|inputlookup hoslist.csv | eval count=0, host=lower(host) | append [ search index=_internal | eval host=lower(host) | stats count by host ] | stats sum(count) AS Total | rangemap field=Total severe=0-0 low=1-1000000000 default=severe
In this way hosts with severe aren't sending and host with low are sending.
You could also add a graphical representation using

script="table_icons_rangemap.js, stylesheet="table_decorations.css"

that you can take from the Splunk 6.0 Dashboard Examples App (https://splunkbase.splunk.com/app/1603/).

Bye.
Giuseppe

sundareshr · ‎11-28-2016

You will first need to create a list of all the hosts in your environment and use that to create a lookup file (csv file should have a field called host)

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Lookup

ONce you have the lookup, you try this search

| inputlookup hostlist.csv | field host | search NOT [| metadata type=hosts index=*]

sravankaripe · ‎11-28-2016

i know index=_internal sourcetype=splunkd

How to generate a search that will let me know if Splunk is installed on a host and if the host is sending data or not?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk