- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search where hosts have an unrelated sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was refining an existing search/dashboard panel when I discovered that my hosts do not reliably follow a pattern. What these hosts do have in common is the presence of a sourcetype unrelated to the data in the search.
Existing Search:
eventtype=winperformance host=myhostpattern object=logicaldisk .....
This search works nicely, but excludes hosts which do not follow the pattern. I would like to replace host=myhostpattern with something that will search for:
sourcetype=mysource |dedup host
and use this to create the host list to use.
I have considered using an inputlookup/outputlookup, but thought there would be a better option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearch is your friend here (unless the number of hosts is huge):
eventtype=winperformance object=logicaldisk
[search sourcetype=mysource | dedup host | table host]
More about subsearches: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A much better performing option could be this (again it's a subsearch so more than 10,000 records will get truncated)
eventtype=winperformance [| tstats count WHERE source=mysource by host | table host ] object=logicaldisk .....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looked promising but unfortunately I am still on version 5.x and requires a populated tsidx first. I will definitely revisit this once I updgrade to 6.x.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
eventtype=winperformance host=* object=logicaldisk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearch is your friend here (unless the number of hosts is huge):
eventtype=winperformance object=logicaldisk
[search sourcetype=mysource | dedup host | table host]
More about subsearches: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/Useasubsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I didn't know it would add the host list like this as a criteria.
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
