Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create a report/alert to display hosts that are not reporting /var/log/secure

daniel333
Builder
‎09-19-2017 03:09 PM

All,

I have a list of PCI hosts. Now what I want to do is take that list of hosts and create a report/alert to display hosts which are not reporting /var/log/secure. Any idea how I might do this from a search?

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 12:11 PM

Hey @daniel333, if @somesoni2's solution worked then please don't forget to accept his answer to award karma points and close the question. 🙂

0 Karma
Reply

somesoni2
Revered Legend
‎09-19-2017 03:17 PM

Assuming you can create a lookup table file with your list of hosts (say myhosts.csv with header as host), try like this

| tstats count WHERE index=IndexWhichHasSecurelogData source="/var/log/secure" [| inputlookup myhosts.csv | table host ] by host
| append [| inputlookup myhosts.csv | table host | eval count=0 ] | stats max(count) as count by host | where count=0
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...