Need a help on servers reporting day vice for past...

syedak · ‎02-05-2018

Hi All,
Good Day!!!
Need a help on servers reporting day vice for past 7 days in below format.

Thanks in Advance.

mayurr98 · ‎02-05-2018

hey @syedak,

You can use a subsearch to accomplish this:

|inputlookup hosts.csv | search NOT [search index=_internal |dedup host | table host]

This search will take your CSV and eliminate hosts found in the subsearch. The hosts.csv will contain all the hosts with the column name of host

host
host1
host2
host3

Obliviously, modify the subsearch and CSV names to suit your environment.

If you'd like to look at your data as the only indicator, i'd recommend | tstats:

| tstats count, latest(_time) AS last_seen where index=* by sourcetype,host | eval timeDiff=now()-last_seen | search timeDiff>900

Change "900" to how long you'd like to consider something missing in seconds. | tstats is going to be significantly faster than | metadata.

let me know if this helps!

p_gurav · ‎02-05-2018

Hi,

Is there any field which can tell you that server is not reporting? If yes then you can use following query:

| stats dc(host) AS "No of server" count(eval(if(<field>==true,1,0))) AS "Server not reporting" by date

Edit according to your environment.

Need a help on servers reporting day vice for past 7 days