Use TSTATS to find hosts no longer sending data

This is a simple tstats query shows all hosts and sourcetypes that have reported data, and shows the time in seconds since anything was sent. Be sure to run the query over a lengthy period of time in order to include machines that haven’t sent data for sometime. Don’t worry about the search-time so much, tstats is FAST!

|tstats latest(_time) as lt by index, sourcetype, host | eval NOW=now() | eval difftime=NOW-lt

1	\|tstats latest(_time) as lt by index, sourcetype, host \| eval NOW=now() \| eval difftime=NOW-lt

Here’s the same query but with a rangemap:

|tstats latest(_time) as lt by index, sourcetype, host | eval NOW=now() | eval difftime=NOW-lt | rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 default="Greater than 1 Week"

1	\|tstats latest(_time) as lt by index, sourcetype, host \| eval NOW=now() \| eval difftime=NOW-lt \| rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 default="Greater than 1 Week"

And lastly, if you want to only know hosts that haven’t reported in for a period of time, you can use the following query utilizing the “where” function (example below shows anything that hasn’t sent data in over an hour):

|tstats latest(_time) as lt by index, sourcetype, host | eval NOW=now() | eval difftime=NOW-lt | where difftime>=3600

1	\|tstats latest(_time) as lt by index, sourcetype, host \| eval NOW=now() \| eval difftime=NOW-lt \| where difftime>=3600

Splunk Query Repository

Use TSTATS to find hosts no longer sending data

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Use TSTATS to find hosts no longer sending data

Related Queries

Internal Splunk User Stats

Show Searches with Details (Who | When | What)

Forwarder TCP Connections info

Leave A Comment? Click here to cancel reply.