How to Find the Missing HOSTS in SPLUNK

How to Find the Missing HOSTS in SPLUNK

Lets say every hosts are sending the data in  everyday basis.But for any reason few hosts aren’t sending the data today.So we want to check those host names which aren’t sending the data today.

Step 1: Checking the names of all hosts.

To check the names of all hosts we have run a query which returns the names of all hosts which were sending the data since last 30 days up to yesterday.In this way we will get a list of total host names. Here we have run the query for last 30 days but you can run this query for all time. Below it is showing names of all hosts.

QUERY1

| metasearch earliest=-30d@d latest=-1d@d index=_* OR index=* host=*
| stats count by host

 

Screenshot (89)

 

Step 2: Checking the names of all hosts  of today which are sending the data.

To check the names of all hosts of today we have run a query which returns the names of all hosts which are sending the data today. In this way we will get a list of host names for today.Below it is showing the names of all host of today.

 

QUERY2

| metasearch earliest=-d@d latest=now index=* OR index=_* host=*
| stats count as TODAY_COUNT by host

 

Screenshot (90)

Step 3: Missing host names.

| metasearch earliest=-30d@d latest=-1d@d index=_* OR index=* host=*
| stats count by host
| append [ | metasearch earliest=-d@d latest=now index=* OR index=_* host=* | stats count as TODAY_COUNT by host  ]  
| stats values(*) as * by host
| fillnull value=”NA” TODAY_COUNT
| search TODAY_COUNT=”NA”
| fields host

 

Screenshot (91)

 

Explanation:

The above image shows the names of the missing hosts.To find the missing hosts we have appended the  QUERY1 and QUERY2 by the “append” command. Then by the “stats” command we have sorted two fields by the host name.So in the TODAY_COUNT field the will be no value for those hosts which aren’t sending data today.By the “fillnull” command we have fill up the null value by “NA” in TODAY_COUNT .Then by the  “search” command we have found the host names which aren’t sending the data today.

 

Hope this has helped you in achieving the below requirement without fail :

 How to Find the Missing HOSTS in SPLUNK

 

Happy Splunking !!

 

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.