I created a csv file critical.csv with a list of critical assets, and uploaded the lookup table into Splunk. How would I create a query to check to see if these assets have been sending logs to splunk for the past X amount of time. The field name in the lookup is hostname. All of the host are using Splunk universal forwarders.
Hi jrprez1804,
try something like this:
index=_internal
| eval host=upper(host)
| stats count BY host
| append [ | inputlookup critical.csv | host=upper(hostname), count=0 | fields host count ]
| stats sum(count) AS Total BY host
| where Total=0
In this way all the hosts where Total=0 are missed.
You can show the host situation in a graphic panel deleting the last row or create an alert.
Bye.
Giuseppe