https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368413#M11459 <P>Hi, </P> <P>Suppose we have 10 heavy forwarders and want to get alerted if any one of them goes down. <BR /> How do we form an alert query. </P> <P><CODE>index=_internal source=*splunkd.log*</CODE> may work for for a single server, how to extend the query to work for multiple servers.</P> <P>If we use, <BR /> <CODE>index=_internal source=*splunkd.log* | stats count by host</CODE> .. It may not work as host is down and won't be included in the results set. </P> Fri, 27 Apr 2018 00:13:23 GMT nawazns5038 2018-04-27T00:13:23Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368413#M11459 <P>Hi, </P> <P>Suppose we have 10 heavy forwarders and want to get alerted if any one of them goes down. <BR /> How do we form an alert query. </P> <P><CODE>index=_internal source=*splunkd.log*</CODE> may work for for a single server, how to extend the query to work for multiple servers.</P> <P>If we use, <BR /> <CODE>index=_internal source=*splunkd.log* | stats count by host</CODE> .. It may not work as host is down and won't be included in the results set. </P> Fri, 27 Apr 2018 00:13:23 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368413#M11459 nawazns5038 2018-04-27T00:13:23Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368414#M11460 <P>You can search metadata and alert if forwarders do not report for more than a certain threshold<BR /> <PRE>| metadata type=hosts | eval age = now() - lastTime | search age &gt; 300 </PRE></P> Fri, 27 Apr 2018 02:18:00 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368414#M11460 pradeepkumarg 2018-04-27T02:18:00Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368415#M11461 <P>Add your heavy forwarders as search peers to your <A href="http://docs.splunk.com/Documentation/Splunk/7.0.3/DMC/DMCoverview">Monitoring Console</A> and enable the "DMC Alert - Search Peer Not Responding" alert.</P> Fri, 27 Apr 2018 03:22:47 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368415#M11461 Yorokobi 2018-04-27T03:22:47Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368416#M11462 <P><STRONG>However, in environments with large numbers of values for each category, the data might not be complete. This is intentional and allows the metadata command to operate within reasonable time and memory usage.</STRONG> ... from docs.</P> <P>I don't think metadata can produce accurate results, I don't see it working </P> Fri, 27 Apr 2018 23:09:18 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368416#M11462 nawazns5038 2018-04-27T23:09:18Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368417#M11463 <P>It checks only the indexers and that too only the management port (8089)</P> Fri, 27 Apr 2018 23:12:00 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368417#M11463 nawazns5038 2018-04-27T23:12:00Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368418#M11464 <P>@Yorokobi is right - if you add the HFs as search peers on your Monitoring console, the MC will contact them via port 8089 and you can use it's built-in alert to get a notification when one of them goes down. Actually works for all Splunk instances, be they indexers, search heads, HFs...</P> Mon, 30 Apr 2018 21:15:26 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368418#M11464 xpac 2018-04-30T21:15:26Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368419#M11465 <P>If you use what you have and add one more line, you have an instant alert.</P> <PRE><CODE>index=_internal source=*splunkd.log* | stats dc(host) AS count values(host) | where count &lt; &lt;known_number_of_hosts&gt; </CODE></PRE> Thu, 10 May 2018 00:03:20 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368419#M11465 woodcock 2018-05-10T00:03:20Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368420#M11466 <P>This needs one more stats or (just) dc(host) on existing one. Right now the count gives count of evwnts for host.</P> Thu, 10 May 2018 00:35:11 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368420#M11466 somesoni2 2018-05-10T00:35:11Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368421#M11467 <P>Correct, I really messed that up the first time. Corrected now.</P> Thu, 10 May 2018 14:38:53 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368421#M11467 woodcock 2018-05-10T14:38:53Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368422#M11468 <P>Create a lookup with all the required hostnames and use it in the below query. </P> <P>index=_internal host=*hfwd* | stats count by host <BR /> | append [ | inputlookup hfwd_hosts | table host ] | stats sum(count) as count by host | fillnull value=0 | where count =0 </P> Tue, 29 Sep 2020 21:04:50 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368422#M11468 nawazns5038 2020-09-29T21:04:50Z https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368423#M11469 <P>Also you can narrow down search | metadata type=hosts | search host= | eval age = now() - lastTime | search age &gt; 300 </P> <P>OR </P> <P>| metadata type=hosts | search host=testweb* | eval age = now() - lastTime | search age &gt; 300 </P> Thu, 21 Feb 2019 16:30:20 GMT https://community.splunk.com/t5/Alerting/Alert-when-a-Splunk-service-is-down/m-p/368423#M11469 Krishnagrandhi 2019-02-21T16:30:20Z