Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lost forwarder search case sensitive for host name

rgcox1
Communicator
‎05-13-2010 04:44 PM

When searching for lost forwarders a host with an all caps name is returned as lost when the same host with a lower case name is reporting. Not certain how host names are being changed, but is there a way to make the search insensitive to case for the host name?

Indexer is 4.1.2 and forwarders (lightweight) are 4.0.9 and 4.0.10.

| metadata type=hosts | tags | rename tag::host as tags |eval age = Round((now() - lastTime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | convert ctime(lastTime) | fields host,age,lastTime,tags
Tags (1)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

thall79
Communicator
‎05-13-2010 05:40 PM

Adding | eval host= lower(host) would cause all the host names to be lower case in your search string. Would that help?

| metadata type=hosts | eval host= lower(host) | tags | rename tag::host as tags |eval age = Round((now() - lastTime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | convert ctime(lastTime) | fields host,age,lastTime,tags

Travis.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rgcox1
Communicator
‎05-26-2010 03:44 PM

Travis's answer is one part of the solution. In addition to "eval host=lower(host)" a pipe to "stats max(lastTime) as ltime by host" had to be added.

| metadata type=hosts | tags | rename tag::host as tags|eval host=lower(host) |stats max(lastTime) as ltime by host|eval age = Round((now() - ltime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | fields host,age

View solution in original post

Reply
Solved! Jump to solution
Solution

rgcox1
Communicator
‎05-26-2010 03:44 PM

Travis's answer is one part of the solution. In addition to "eval host=lower(host)" a pipe to "stats max(lastTime) as ltime by host" had to be added.

| metadata type=hosts | tags | rename tag::host as tags|eval host=lower(host) |stats max(lastTime) as ltime by host|eval age = Round((now() - ltime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | fields host,age
Reply
Solved! Jump to solution
Solution

thall79
Communicator
‎05-13-2010 05:40 PM

Adding | eval host= lower(host) would cause all the host names to be lower case in your search string. Would that help?

| metadata type=hosts | eval host= lower(host) | tags | rename tag::host as tags |eval age = Round((now() - lastTime)/86400)| search age > 1 age < 60 host=srv* NOT tags=offline | sort age d | convert ctime(lastTime) | fields host,age,lastTime,tags

Travis.

0 Karma
Reply
Solved! Jump to solution

rgcox1
Communicator
‎05-13-2010 07:26 PM

No. The metadata record with the older lasttime still exists, so is still reported.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...