Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create search to find the dates where the host is not sending logs to splunk?

Roy_9
Motivator
‎09-14-2023 11:54 AM

Hello,

I am trying to find the dates  when the host stopped sending logs to splunk in the last 6 months.I have used the below search but can only find the earliest and latest indexed time.

Just wanted to know the dates as well when the host stopped sending logs.

| tstats count as totalcount earliest(_time) as firstTime latest(_time) as lastTime where index=linux host=xyz by host
| fieldformat firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S")


Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-18-2023 11:38 AM

What do you mean by "added"? @ITWhisperer 's search should be run on its own, not added to your search.

Alternatively, you can try to count splitting by time so you can limit your search to a particular month or week (I think with a day resolution it could still run but go more densely and you won't visualize it reasonably).

| tstats prestats=t count where index=<your_index> host=<your_host> by _time span=1w
| timechart span=1w count

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-14-2023 12:59 PM

Try something like this

| metasearch index=linux
| timechart count by host useother=f
| untable _time host count
| where count=0
Reply
Solved! Jump to solution

Roy_9
Motivator
‎09-18-2023 11:09 AM

Hello @ITWhisperer 

I added the host name to the query provided and ran a search but i am not seeing any results under statistics tab. Is result=0 means that the host is reporting and that is the reason we are not seeing results?

Can you please confirm?

 

Thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-18-2023 03:11 PM

Correct - if you are getting no results, all the hosts are reporting in the time period of your search.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-18-2023 11:38 AM

What do you mean by "added"? @ITWhisperer 's search should be run on its own, not added to your search.

Alternatively, you can try to count splitting by time so you can limit your search to a particular month or week (I think with a day resolution it could still run but go more densely and you won't visualize it reasonably).

| tstats prestats=t count where index=<your_index> host=<your_host> by _time span=1w
| timechart span=1w count

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...