I have a query as follows to display the list of hosts which are seen in last 24 hours and hosts which are not seen in last 24 hours from a list of lookup table hosts. which is working fine. But I also want to see the list of hosts which are neither seen in last 24 hours nor not seen in 24 hours. I mean the hosts which are never in splunk
The following is my query
| metadata type=hosts | search [| inputlookup mssp_dashboard_hosts_test.csv | search hpam_environment="PROD" | rename my_hostname as host | eval host=lower(host) | eval recentTime=0
| table host]
| eval lastTime=coalesce(lastTime,0)
| eval timeDiff=now()-lastTime
| eval last_seen_in_24_hours=case(timeDiff==NULL, "never in Splunk", timeDiff>86400,"Systems not reported to Splunk from last 24 hours", 1==1,"Systems reported to Splunk in last 24 hours")
| eval lastReported=if(lastTime=0,"never",strftime(lastTime,"%F %T"))
Following is the result :-
![alt text][1]
Now I also want to see the remaining hosts which are never in splunk as "never in splunk". I'm trying to display the number for never seen hosts in the report along with last seen in 24 hours and not seen in 24 hours like below
last_seen_in_24_hours
systems not reported to splunk in last 24 hours 43
systems reported to splunk in last 24 hours 768
systems never reported to splunk 76
[1]: /storage/temp/219577-hosts.png
↧