Alerting

Need a help on servers reporting day vice for past 7 days

syedak
New Member

Hi All,
Good Day!!!
Need a help on servers reporting day vice for past 7 days in below format.

Thanks in Advance.

alt text

Tags (2)
0 Karma

mayurr98
Super Champion

hey @syedak,

You can use a subsearch to accomplish this:

|inputlookup hosts.csv | search NOT [search index=_internal |dedup host | table host]

This search will take your CSV and eliminate hosts found in the subsearch. The hosts.csv will contain all the hosts with the column name of host

host
host1
host2
host3

Obliviously, modify the subsearch and CSV names to suit your environment.

If you'd like to look at your data as the only indicator, i'd recommend | tstats:

| tstats count, latest(_time) AS last_seen where index=* by sourcetype,host | eval timeDiff=now()-last_seen | search timeDiff>900

Change "900" to how long you'd like to consider something missing in seconds. | tstats is going to be significantly faster than | metadata.

let me know if this helps!

0 Karma

p_gurav
Champion

Hi,

Is there any field which can tell you that server is not reporting? If yes then you can use following query:

| stats dc(host) AS "No of server" count(eval(if(<field>==true,1,0))) AS "Server not reporting" by date

Edit according to your environment.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...