topic automating the missing forwarder records query in Getting Data In https://community.splunk.com/t5/Getting-Data-In/automating-the-missing-forwarder-records-query/m-p/76760#M15682 <P>Newbie to splunk, hello everyone...</P> <P>I use the UniversalForwarder on a pool of windows IIS servers. Each server has 4 unique sites (IP's). I've had some problems with the universal forwarder ignoring some IIS logfiles, eventually this was fixed by adding both "crcSalt = <SOURCE>" and "alwaysOpenFile = 1" to the inputs.conf on the IIS servers.</SOURCE></P> <P>In order to validate that this fix is working, I want to automate a check.</P> <P>The query "#Fields: | stats values(source) by host" for the last 7 days should return results like:</P> <PRE><CODE>c:\inetpub\logs\site1\ex20120924.log c:\inetpub\logs\site1\ex20120925.log c:\inetpub\logs\site1\ex20120926.log c:\inetpub\logs\site1\ex20120927.log c:\inetpub\logs\site1\ex20120928.log c:\inetpub\logs\site1\ex20120929.log c:\inetpub\logs\site1\ex20120930.log c:\inetpub\logs\site2\ex20120924.log c:\inetpub\logs\site2\ex20120925.log c:\inetpub\logs\site2\ex20120926.log c:\inetpub\logs\site2\ex20120927.log c:\inetpub\logs\site2\ex20120928.log c:\inetpub\logs\site2\ex20120929.log c:\inetpub\logs\site2\ex20120930.log </CODE></PRE> <P>Above are good results.</P> <P>Below are bad results:</P> <PRE><CODE>c:\inetpub\logs\site1\ex20120924.log c:\inetpub\logs\site1\ex20120925.log &lt;no entry for ex20120926.log&gt; c:\inetpub\logs\site1\ex20120927.log c:\inetpub\logs\site1\ex20120928.log c:\inetpub\logs\site1\ex20120929.log c:\inetpub\logs\site1\ex20120930.log c:\inetpub\logs\site2\ex20120924.log c:\inetpub\logs\site2\ex20120925.log c:\inetpub\logs\site2\ex20120926.log c:\inetpub\logs\site2\ex20120927.log c:\inetpub\logs\site2\ex20120928.log c:\inetpub\logs\site2\ex20120929.log &lt;no entry for ex20120930.log&gt; </CODE></PRE> <P>Above has 2 entries missing.</P> <P>In pseudo logic, I would run the query:<BR /> "#Fields: | stats values(source) by host" for the last 7 days </P> <P>through a loop counter that returns an error if each site (site1/site2) fails to return 7 records.<BR /> If this is too complex, I suppose I could look for "at least XX rows" or such. Any suggestions would be appreciated.</P> Mon, 01 Oct 2012 21:39:12 GMT umiotoko 2012-10-01T21:39:12Z automating the missing forwarder records query https://community.splunk.com/t5/Getting-Data-In/automating-the-missing-forwarder-records-query/m-p/76760#M15682 <P>Newbie to splunk, hello everyone...</P> <P>I use the UniversalForwarder on a pool of windows IIS servers. Each server has 4 unique sites (IP's). I've had some problems with the universal forwarder ignoring some IIS logfiles, eventually this was fixed by adding both "crcSalt = <SOURCE>" and "alwaysOpenFile = 1" to the inputs.conf on the IIS servers.</SOURCE></P> <P>In order to validate that this fix is working, I want to automate a check.</P> <P>The query "#Fields: | stats values(source) by host" for the last 7 days should return results like:</P> <PRE><CODE>c:\inetpub\logs\site1\ex20120924.log c:\inetpub\logs\site1\ex20120925.log c:\inetpub\logs\site1\ex20120926.log c:\inetpub\logs\site1\ex20120927.log c:\inetpub\logs\site1\ex20120928.log c:\inetpub\logs\site1\ex20120929.log c:\inetpub\logs\site1\ex20120930.log c:\inetpub\logs\site2\ex20120924.log c:\inetpub\logs\site2\ex20120925.log c:\inetpub\logs\site2\ex20120926.log c:\inetpub\logs\site2\ex20120927.log c:\inetpub\logs\site2\ex20120928.log c:\inetpub\logs\site2\ex20120929.log c:\inetpub\logs\site2\ex20120930.log </CODE></PRE> <P>Above are good results.</P> <P>Below are bad results:</P> <PRE><CODE>c:\inetpub\logs\site1\ex20120924.log c:\inetpub\logs\site1\ex20120925.log &lt;no entry for ex20120926.log&gt; c:\inetpub\logs\site1\ex20120927.log c:\inetpub\logs\site1\ex20120928.log c:\inetpub\logs\site1\ex20120929.log c:\inetpub\logs\site1\ex20120930.log c:\inetpub\logs\site2\ex20120924.log c:\inetpub\logs\site2\ex20120925.log c:\inetpub\logs\site2\ex20120926.log c:\inetpub\logs\site2\ex20120927.log c:\inetpub\logs\site2\ex20120928.log c:\inetpub\logs\site2\ex20120929.log &lt;no entry for ex20120930.log&gt; </CODE></PRE> <P>Above has 2 entries missing.</P> <P>In pseudo logic, I would run the query:<BR /> "#Fields: | stats values(source) by host" for the last 7 days </P> <P>through a loop counter that returns an error if each site (site1/site2) fails to return 7 records.<BR /> If this is too complex, I suppose I could look for "at least XX rows" or such. Any suggestions would be appreciated.</P> Mon, 01 Oct 2012 21:39:12 GMT https://community.splunk.com/t5/Getting-Data-In/automating-the-missing-forwarder-records-query/m-p/76760#M15682 umiotoko 2012-10-01T21:39:12Z Re: automating the missing forwarder records query https://community.splunk.com/t5/Getting-Data-In/automating-the-missing-forwarder-records-query/m-p/76761#M15683 <P>Use the <CODE>stats</CODE> function <CODE>dc</CODE> to get a distinct count of the field values, then check if the count is 7. Then create an alert that triggers if 0 results are returned. You could also reverse that logic - check if count is NOT 7 and trigger alert if more than 0 results are returned.</P> <PRE><CODE>#Fields: | stats dc(source) as uniquecount by host | where uniquecount!=7 </CODE></PRE> Mon, 01 Oct 2012 21:59:24 GMT https://community.splunk.com/t5/Getting-Data-In/automating-the-missing-forwarder-records-query/m-p/76761#M15683 Ayn 2012-10-01T21:59:24Z