Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I count by host?

Harish2
Path Finder
‎07-25-2023 01:13 PM 
index=abc sourcetype=app_logs
|stats count as events by host, host_ip
|where events >0



 When i schedule this as alert  i am receiving alert only when there is no data in all the hosts, but  i need to get an alert if there is no data from any ONE host as well

how can i do this???


Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2023 12:36 AM

Hi @Harish2 ,

the correct condition is event=0 but event=0 isn't listed because there aren't events.

To do this, you need a list of all hosts to monitor in a lookup (caled e.g. perimeter.csv) containing at lease one column (host) and then running a search like this:

index=abc sourcetype=app_logs
| stats count BY host
| append [ | inputlookup perimeter.csv | eval count=0 | fields host ]
| stats sum(count) AS total 
| where total=0

Ciao.

Giuseppe

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2023 02:09 PM

Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it.

https://www.duanewaddle.com/proving-a-negative/

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...