Re: How to get list of host and source type which ...

chandanjaisal · ‎07-09-2015

I have couples of host and each host has multiple source type, I want to list down host and source type which are not sending data for last 24 hours.

alacercogitatus · ‎07-09-2015

Run this search:

|noop  |append [ |metadata type=hosts | table *] | append [|metadata type=sourcetypes | table *] | eval t = now() - lastTime | where t > 86400 | eval name = coalesce(host,sourcetype)| table name t lastTime totalCount type |rename t as "Seconds since Event" | convert ctime(lastTime) timeformat="%m/%d/%Y %H:%M:%S %z"

What is it doing? Well, noop stops Splunk from searching, and then we use two metadata commands to pull metadata information on hosts and sourcetypes. A little bit of eval/table/rename/convert trickery, and viola! A table of the hosts and sourcetypes with no events in the last 24 hours.

chandanjaisal · ‎07-10-2015

Thanks Alacercogitatus for the reply.
I have executed your search query that is working fine. This query is also helpful for me, but here I have different requirement as following.

Host SourceType Status
host_1 sourcetype_1 Sending data
host_1 sourcetype_2 sending data
host_1 sourcetype_3 Not sending data for Last 24 hours

host_2 sourcetype_1 sending data
host_2 sourcetype_2 Not sending data for last 24 hours
host_2 sourcetype_3 sending data

Required OutPut:
host_1 Sourcetype_3 LastTime
host_2 sourcetype_2 LastTime

How to get list of host and source type which are not not sending data for last 24 hour.

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio