@vstariradev, questions on similar lines have been asked and answered several times in past here is one of the approach.
https://answers.splunk.com/answers/133078/display-hosts-that-didnt-have-events-only.html
You would need to have some source of getting all the host names (possibly a csv file)
Hey @vstariradev, If @niketnilay solved your problem with that link, please don't forget to accept an answer! You can upvote posts as well. (Karma points will be awarded for either action.) Happy Splunking!
@vstariradev, questions on similar lines have been asked and answered several times in past here is one of the approach.
https://answers.splunk.com/answers/133078/display-hosts-that-didnt-have-events-only.html
You would need to have some source of getting all the host names (possibly a csv file)
Thanks for the reply. This is what I was looking for. Follow up question: I want to limit the search to specific landscapes (test/prod) because I have hosts with the same names in different landscapes. I tried with the below but it didn't show any results:
index=my_index landscape=prod [| inputlookup "hosts.csv"
| search NOT [search
| stats count by host
| fields - count
| format]]
Also WHERE isn't accepted so this doesn't work too:
| inputlookup "hosts.csv" where landscape=prod
| search NOT [search
| stats count by host
| fields - count
| format]
@vstariradev, If where
is not working you can try the following:
| inputlookup "hosts.csv"
| search landscape=prod
| search NOT [search
| stats count by host
| fields - count
| format]
@niketnilay Adding:
| search landscape=prod
Didn't show any results when the node I was looking for was in fact in the prod landscape.
@vstariradev, sorry for the delay in my response. What are the fields returned when you run | inputlookup "hosts.csv"
? Is landscape
field part of it?
hosts.csv has only host column. landscape is not part of it.
Then you should not be using the same in either where or search. You can filter on a field which is not present in your data. I requested adding | search landscape=prod
based on your previous query where landscape=prod
If landscape
field exists in the index you are testing then use the following:
| inputlookup "hosts.csv"
| search NOT [search index=my_index landscape=prod earliest = -15m latest=now
| stats count by host
| fields - count
| format]
PS: You can change earliest and latest time as per your need. In case you can identify prod and non prod through any of the default fields (patterns) like host, source, sourcetype, index etc then you can switch from search command with stats to | tstats
. Since landscape might not be `index time extracted field you can not use tstats.
That works! Thanks!