Lost forwarder search case sensitive for host name

Question

When searching for lost forwarders a host with an all caps name is returned as lost when the same host with a lower case name is reporting. Not certain how host names are being changed, but is there a way to make the search insensitive to case for the host name?

Indexer is 4.1.2 and forwarders (lightweight) are 4.0.9 and 4.0.10.

| metadata type=hosts | tags | rename tag::host as tags |eval age = Round((now() - lastTime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | convert ctime(lastTime) | fields host,age,lastTime,tags

Accepted Answer

1

Travis's answer is one part of the solution. In addition to "eval host=lower(host)" a pipe to "stats max(lastTime) as ltime by host" had to be added.

| metadata type=hosts | tags | rename tag::host as tags|eval host=lower(host) |stats max(lastTime) as ltime by host|eval age = Round((now() - ltime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | fields host,age

link

answered 26 May '10, 15:44

rgcox1
91●2●1●13
accept rate: 66%

Accepted Answer

0

Adding | eval host= lower(host) would cause all the host names to be lower case in your search string. Would that help?

Travis.

link

answered 13 May '10, 17:40

thall79
476●2●6
accept rate: 27%

No. The metadata record with the older lasttime still exists, so is still reported.

(13 May '10, 19:26) rgcox1

Lost forwarder search case sensitive for host name

Follow this question

Splunk Resources

Related questions