Splunk Search

Restrict Hosts in This Particular Search

aferone
Builder

Hello to all,

I am using the search in the link below to find hosts that haven't logged in a certain amount of time:

http://splunk-base.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data

| metadata index=yourindex type=hosts | eval age = now()-lastTime | where (age > 3600 AND age < 7200) | sort age d | convert ctime(lastTime) | fields age,host,lastTime

How do I restrict certain hosts from the search? There are hosts that we don't necessarily want to be alerted on, but I wasn't able to figure out how to do it with the metadata searches.

Any help would be great, and thanks!

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Try

| metadata index=yourindex type=hosts 
| search host!=nothishost* host!=notthishost2.*
| eval age = now()-lastTime 
| where (age > 3600 AND age < 7200) 
| sort age d | convert ctime(lastTime) | fields age,host,lastTime

If you have a lot of hosts to eliminate, there are other ways, but this is easiest.

View solution in original post

0 Karma

lguinn2
Legend

Try

| metadata index=yourindex type=hosts 
| search host!=nothishost* host!=notthishost2.*
| eval age = now()-lastTime 
| where (age > 3600 AND age < 7200) 
| sort age d | convert ctime(lastTime) | fields age,host,lastTime

If you have a lot of hosts to eliminate, there are other ways, but this is easiest.

0 Karma

aferone
Builder

Perfect! Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...