Splunk Search

How do I know if a host is not sending me data?

pkeller
Contributor

If I have a lookup table formatted like this:

lookup_host,os

host1,linux

host2,linux

host3,sunos

And say I'm sending data to: source=/data/unix/syslog.log

In my search, I can do something like:

source=/data/unix/syslog.log os=linux ... and that correctly shows me everything received from host1 and host2 ...

But, I'd like to be able to use the lookup table to tell me who's not sending me data.

Not quite sure how I would format a search to do that.

Thanks very much, hopefully I made this fairly clear ...
Paul Keller

reed_kelly
Contributor

You can query the lookup file first and then remove ones that you are receiving data from. Suppose that you had a search that returned the list of hosts that you are receiving data from like:

source=/data/unix/syslog.log os=linux | stats count by host |rename host as lookup_host|fields +lookup_host

Then you could use something like:

| inputlookup lookupfile |search NOT [source=/data/unix/syslog.log | stats count by host |rename host as lookup_host|fields +lookup_host] |fields +lookup_host

You can then create an alert if this returns any lines.

That should return

0 Karma

pkeller
Contributor

Thank you ... I did manage to get the data I needed using:

source=/data/unix/syslog.log | inputlookup append=true lookupfile| stats count(linecount) as linecount by lookup_host | where linecount < 1

0 Karma

reed_kelly
Contributor

I forgot to add [search source=...] This is the syntax for a subsearch.

pkeller
Contributor

Thank you. I tried this, but received an error that seemed to occur at the [source=/data/unix/syslog.log point ... It says: "Search operation 'source' is unknown. You might not have permission to run this operation"

0 Karma

pkeller
Contributor

Thanks for responding ... I'm looking for the latter ... those who have never sent any data. ( Or maybe no data in the past 30 days ... ) but never would be a good jumping off point. cheers-Paul

0 Karma

MarioM
Motivator

do want to know last time it sent you data and hasnot send any since a while or just those who never sent you data?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...