Use TSTATS to find hosts no longer sending data

This is a simple tstats query shows all hosts and sourcetypes that have reported data, and shows the time in seconds since anything was sent. Be sure to run the query over a lengthy period of time in order to include machines that haven’t sent data for sometime. Don’t worry about the search-time so much, tstats is FAST!

|tstats latest(_time) as lt by index, sourcetype, host | eval NOW=now() | eval difftime=NOW-lt

1	\|tstats latest(_time) as lt by index, sourcetype, host \| eval NOW=now() \| eval difftime=NOW-lt

Here’s the same query but with a rangemap:

|tstats latest(_time) as lt by index, sourcetype, host | eval NOW=now() | eval difftime=NOW-lt | rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 default="Greater than 1 Week"

1	\|tstats latest(_time) as lt by index, sourcetype, host \| eval NOW=now() \| eval difftime=NOW-lt \| rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 default="Greater than 1 Week"

And lastly, if you want to only know hosts that haven’t reported in for a period of time, you can use the following query utilizing the “where” function (example below shows anything that hasn’t sent data in over an hour):

|tstats latest(_time) as lt by index, sourcetype, host | eval NOW=now() | eval difftime=NOW-lt | where difftime>=3600

1	\|tstats latest(_time) as lt by index, sourcetype, host \| eval NOW=now() \| eval difftime=NOW-lt \| where difftime>=3600

Splunk Query Repository

Use TSTATS to find hosts no longer sending data

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Use TSTATS to find hosts no longer sending data

Related Queries

Datamodel Search Performance

Data Usage for Indexer and Forwarders

Searches to check search concurrency for historical or real time

Leave A Comment? Click here to cancel reply.