Solved: How to show hosts with no entries

vstariradev · ‎09-14-2017

I want to get an alert if there are no splunk entries from a host.

So far my query is the below but the zero fields are not populated.
| tstats count WHERE index=myindex GROUPBY host

I tried adding | fillnull value=0 count but the hosts with 0 logs are still missing.

niketn · ‎09-14-2017

@vstariradev, questions on similar lines have been asked and answered several times in past here is one of the approach.

https://answers.splunk.com/answers/133078/display-hosts-that-didnt-have-events-only.html
You would need to have some source of getting all the host names (possibly a csv file)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

lfedak_splunk · ‎09-14-2017

Hey @vstariradev, If @niketnilay solved your problem with that link, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!

niketn · ‎09-14-2017

@vstariradev, questions on similar lines have been asked and answered several times in past here is one of the approach.

https://answers.splunk.com/answers/133078/display-hosts-that-didnt-have-events-only.html
You would need to have some source of getting all the host names (possibly a csv file)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vstariradev · ‎09-15-2017

Thanks for the reply. This is what I was looking for. Follow up question: I want to limit the search to specific landscapes (test/prod) because I have hosts with the same names in different landscapes. I tried with the below but it didn't show any results:
index=my_index landscape=prod [| inputlookup "hosts.csv"

| search NOT [search
| stats count by host
| fields - count
| format]]

vstariradev · ‎09-15-2017

niketn · ‎09-15-2017

@vstariradev, If where is not working you can try the following:

| inputlookup "hosts.csv" 
| search landscape=prod
| search NOT [search
| stats count by host
| fields - count
| format]

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vstariradev · ‎09-17-2017

@niketnilay Adding:

| search landscape=prod

Didn't show any results when the node I was looking for was in fact in the prod landscape.

niketn · ‎09-20-2017

@vstariradev, sorry for the delay in my response. What are the fields returned when you run | inputlookup "hosts.csv"? Is landscape field part of it?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vstariradev · ‎09-20-2017

hosts.csv has only host column. landscape is not part of it.

niketn · ‎09-20-2017

Then you should not be using the same in either where or search. You can filter on a field which is not present in your data. I requested adding | search landscape=prod based on your previous query where landscape=prod

If landscape field exists in the index you are testing then use the following:

| inputlookup "hosts.csv" 
| search NOT [search index=my_index landscape=prod earliest = -15m latest=now 
| stats count by host
| fields - count
| format]

PS: You can change earliest and latest time as per your need. In case you can identify prod and non prod through any of the default fields (patterns) like host, source, sourcetype, index etc then you can switch from search command with stats to | tstats. Since landscape might not be `index time extracted field you can not use tstats.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

vstariradev · ‎09-21-2017

That works! Thanks!

How to show hosts with no entries

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life