https://community.splunk.com/t5/Getting-Data-In/Monitor-whether-network-device-is-alive/m-p/94864#M19752 <P>Can splunk do such this? Traditionally, it used ping, port scan or snmp. if the device is dead, it no longer sends log, how splunk detect such situation?Thanks</P> Fri, 26 Nov 2010 09:53:11 GMT hjwang 2010-11-26T09:53:11Z https://community.splunk.com/t5/Getting-Data-In/Monitor-whether-network-device-is-alive/m-p/94864#M19752 <P>Can splunk do such this? Traditionally, it used ping, port scan or snmp. if the device is dead, it no longer sends log, how splunk detect such situation?Thanks</P> Fri, 26 Nov 2010 09:53:11 GMT https://community.splunk.com/t5/Getting-Data-In/Monitor-whether-network-device-is-alive/m-p/94864#M19752 hjwang 2010-11-26T09:53:11Z https://community.splunk.com/t5/Getting-Data-In/Monitor-whether-network-device-is-alive/m-p/94865#M19753 <P>To detect a device that's no longer sending events you could use something like this (from <A href="http://answers.splunk.com/questions/798/how-do-i-tell-if-a-forwarder-is-down" rel="nofollow">here</A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>| metadata type=hosts | sort recentTime desc | convert ctime(recentTime) as Recent_Time | table host Recent_Time </CODE></PRE> <P>However, the fact that events aren't being sent isn't necessarily an indication that a device is "dead". You could, however, easily create a scripted input to run ping/traceroute or whatever you like on a pretty tight interval and then create searches and alerts around the output, which would be a pretty standard way to deal with such issues and really the only reasonably reliable way that I know of.</P> Sat, 27 Nov 2010 12:34:34 GMT https://community.splunk.com/t5/Getting-Data-In/Monitor-whether-network-device-is-alive/m-p/94865#M19753 mw 2010-11-27T12:34:34Z