Search to find hosts sending syslog AND splunkd traffic

1	Any idea how to create a search that finds hosts that are sending BOTH syslog and splunkd traffic? We'd like to turn off syslog for these hosts. licensing asked 24 Feb '10, 22:00 oreoshake 490●1●11 accept rate: 31%

2 Answers:

1	what about this? [search sourcetype=splunkd \| dedup host \| fields + host] sourcetype=syslog subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes. link answered 05 Apr '10, 16:41 rayfoo 178●1●1●9 accept rate: 12%

What always springs to my mind for this kind of goal is:

3 is a bit clumsy. You can do it with the set command, but it is the clumsy part.

The Search & Indexing team is much more fond of a declarative sql-like style, and may have a more clever variation.

There's always the simplistic approach:

For the last 24 hours:

sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype

Then review the data manually

If you wanted to get very fancy you could filter with something like:

sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype | transaction host | search linecount=2

link

answered 11 Mar '10, 08:53

jrodman ♦
5.6k●5●14
accept rate: 42%

Post your answer

toggle preview

Email:

RSS:

Answers

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

Tags:

Asked: 24 Feb '10, 22:00

Seen: 756 times

Last updated: 05 Apr '10, 16:41