If I have a lookup table formatted like this:
lookup_host,os
host1,linux
host2,linux
host3,sunos
And say I'm sending data to: source=/data/unix/syslog.log
In my search, I can do something like:
source=/data/unix/syslog.log os=linux ... and that correctly shows me everything received from host1 and host2 ...
But, I'd like to be able to use the lookup table to tell me who's not sending me data.
Not quite sure how I would format a search to do that.
Thanks very much, hopefully I made this fairly clear ...
Paul Keller
You can query the lookup file first and then remove ones that you are receiving data from. Suppose that you had a search that returned the list of hosts that you are receiving data from like:
source=/data/unix/syslog.log os=linux | stats count by host |rename host as lookup_host|fields +lookup_host
Then you could use something like:
| inputlookup lookupfile |search NOT [source=/data/unix/syslog.log | stats count by host |rename host as lookup_host|fields +lookup_host] |fields +lookup_host
You can then create an alert if this returns any lines.
That should return
Thank you ... I did manage to get the data I needed using:
source=/data/unix/syslog.log | inputlookup append=true lookupfile| stats count(linecount) as linecount by lookup_host | where linecount < 1
I forgot to add [search source=...] This is the syntax for a subsearch.
Thank you. I tried this, but received an error that seemed to occur at the [source=/data/unix/syslog.log point ... It says: "Search operation 'source' is unknown. You might not have permission to run this operation"
Thanks for responding ... I'm looking for the latter ... those who have never sent any data. ( Or maybe no data in the past 30 days ... ) but never would be a good jumping off point. cheers-Paul
do want to know last time it sent you data and hasnot send any since a while or just those who never sent you data?