topic Re: How to check how long splunk uf agents are down on particular servers? in Getting Data In

How to check how long splunk uf agents are down on particular servers?

splunker969 — Mon, 06 Aug 2018 15:27:42 GMT

Hi ,

We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance 🙂

Re: How to check how long splunk uf agents are down on particular servers?

somesoni2 — Mon, 06 Aug 2018 15:38:06 GMT

Assuming that you're using a deployment server to manage your UF configuration and you forwarder your deployment server's internal logs to your indexers, try like this (accuracy of the downtime will be +/- phonehome period for your UF, in last where clause, replace PutPhoneHomePeriodInSecsHere with your actual phone home interval).

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
| eval duration=abs(_time-prev_time) | stats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere

Re: How to check how long splunk uf agents are down on particular servers?

splunker969 — Mon, 06 Aug 2018 15:51:29 GMT

Hi somesoni2 ,

Thanks for the query. In above query How can i know from which time to when the splunk server is down for example 8/3/2018 7 am to 8/4/2018 6 am .. and .Down time in hours Please ?

Thanks,
splunker969

Re: How to check how long splunk uf agents are down on particular servers?

somesoni2 — Mon, 06 Aug 2018 15:56:07 GMT

Give this version a try

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval downtime=abs(_time-prev_time) | where downtime>PutPhoneHomePeriodInSecsHere
| eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+") | eval downtime_hours=round(downtime/3600)| eval downtime=tostring(downtime,"duration")
| table host DownFrom DownTo downtime downtime_hours

Re: How to check how long splunk uf agents are down on particular servers?

splunker969 — Mon, 06 Aug 2018 16:25:08 GMT

Hi somesoni2

This query is not working .

Thanks,
Splunker969

Re: How to check how long splunk uf agents are down on particular servers?

ddrillic — Mon, 06 Aug 2018 19:25:12 GMT

We use -

| inputlookup <lookup with host column>.csv 
| fields host 
| join type=left host 
    [| metadata type=hosts index=<index name>
    | eval host=lower(host) 
    | eval _time=recentTime 
    | sort host, _time 
    | stats latest(_time) as recentTime by host ] 
| eval LAST=strftime(recentTime,"%a %m/%d/%Y-%T %Z(%z)"), DAYS_AGO=round((recentTime-now())/86400,0)

Re: How to check how long splunk uf agents are down on particular servers?

somesoni2 — Mon, 06 Aug 2018 19:28:02 GMT

Not getting any output OR not getting correct output?

Re: How to check how long splunk uf agents are down on particular servers?

somesoni2 — Mon, 06 Aug 2018 19:29:21 GMT

I would've suggested similar but they've restarted UF so logs would be coming through and that recentTime would be updated. They want to know for how long it was down.

Re: How to check how long splunk uf agents are down on particular servers?

ddrillic — Mon, 06 Aug 2018 19:30:46 GMT

oh oh oh - got it. Thank you @somesoni2.

Re: How to check how long splunk uf agents are down on particular servers?

splunker969 — Mon, 06 Aug 2018 19:34:29 GMT

Not getting any output

Re: How to check how long splunk uf agents are down on particular servers?

somesoni2 — Mon, 06 Aug 2018 20:46:13 GMT

How about this one?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval duration=abs(_time-prev_time) | eventstats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere AND downtime=duration | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")

Re: How to check how long splunk uf agents are down on particular servers?

splunker969 — Tue, 07 Aug 2018 16:38:48 GMT

Hi somesoni2

This query is not working .Not getting any output

Thanks,
Splunker969

Re: How to check how long splunk uf agents are down on particular servers?

splunker969 — Wed, 08 Aug 2018 18:48:10 GMT

Need help on this question can anybody help me? Thanks in advance !

Re: How to check how long splunk uf agents are down on particular servers?

thambisetty — Wed, 08 Aug 2018 19:47:03 GMT

Have you replaced PutPhoneHomePeriodInSecsHere with your phone home interval?

Re: How to check how long splunk uf agents are down on particular servers?

somesoni2 — Wed, 08 Aug 2018 19:50:14 GMT

Does this yield in something?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
  | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
  | eval duration=abs(_time-prev_time) | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")

Re: How to check how long splunk uf agents are down on particular servers?

splunker969 — Tue, 29 Sep 2020 20:54:27 GMT

Hi Somesoni2 ,

This search gives results .In DownFROM is august 13 DownTo is august12. Which is I changed as below .Please Correct query if anything not correct .Thanks In advance 🙂

Re: How to check how long splunk uf agents are down on particular servers?

MonkeyK — Wed, 15 Apr 2020 23:06:45 GMT

kind of an old thread, but it seems to me that the streamstats needs a "by host" clause. Otherwise it will be comparing the last entry for one host with the first entry of another host