https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118379#M1777 <P>All the hosts (whether they are sending data or not) send heartbeat to indexer in _internal index. you can query that to identify if a host is down or not.</P> <P>index=_internal source=*metrics.log group=tcpin_connections earliest=-7d@d <BR /> | eval sourceHost=coalesce(hostname, sourceHost) <BR /> | eval age = (now() - _time ) <BR /> |stats first(age) as age, first(_time) as LastTime by sourceHost <BR /> | convert ctime(LastTime) as "Last Active On" <BR /> | eval Status= case(age &lt; XXX,"Running",age &gt; XXX,"DOWN") </P> <P>Where XXX=duration in second for which is their are no heartbeat from host, the host is down. Typically is can be 2-3 min (120 or 180)</P> Mon, 28 Oct 2013 18:50:26 GMT somesoni2 2013-10-28T18:50:26Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118378#M1776 <P>I have multiple indexes that I would like to look across all of them see when a host stops sending logs or down within a 24 hour window.</P> Mon, 28 Oct 2013 16:45:12 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118378#M1776 jaywilwk 2013-10-28T16:45:12Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118379#M1777 <P>All the hosts (whether they are sending data or not) send heartbeat to indexer in _internal index. you can query that to identify if a host is down or not.</P> <P>index=_internal source=*metrics.log group=tcpin_connections earliest=-7d@d <BR /> | eval sourceHost=coalesce(hostname, sourceHost) <BR /> | eval age = (now() - _time ) <BR /> |stats first(age) as age, first(_time) as LastTime by sourceHost <BR /> | convert ctime(LastTime) as "Last Active On" <BR /> | eval Status= case(age &lt; XXX,"Running",age &gt; XXX,"DOWN") </P> <P>Where XXX=duration in second for which is their are no heartbeat from host, the host is down. Typically is can be 2-3 min (120 or 180)</P> Mon, 28 Oct 2013 18:50:26 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118379#M1777 somesoni2 2013-10-28T18:50:26Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118380#M1778 <P>I tried this search out and wasn't able to yield any results. I tried changing the XXX to differents seconds and still didn't yield any results.</P> Mon, 28 Oct 2013 19:12:22 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118380#M1778 jaywilwk 2013-10-28T19:12:22Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118381#M1779 <P>Or you can look at the metadata to see when a host last sent some data. The example below lists hosts that have not sent data in the last day (86400 seconds). Should be significantly quicker than searching through the metrics logs.</P> <PRE><CODE>| metadata type=hosts |where recentTime &lt; now() - 86400 | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen </CODE></PRE> <P>/K</P> Mon, 28 Oct 2013 19:15:23 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118381#M1779 kristian_kolb 2013-10-28T19:15:23Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118382#M1780 <P>This worked fine, but it left out some host. There's a host that's not showing that I know isn't reporting. Hasn't been reporting for over 3 days now.</P> Mon, 28 Oct 2013 19:24:16 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118382#M1780 jaywilwk 2013-10-28T19:24:16Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118383#M1781 <P>does it show with only the first part?</P> <P><CODE>| metadata type=hosts</CODE></P> <P>/K</P> Mon, 28 Oct 2013 19:27:06 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118383#M1781 kristian_kolb 2013-10-28T19:27:06Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118384#M1782 <P>It shows with only the first part, but not with the rest.</P> Mon, 28 Oct 2013 19:29:33 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118384#M1782 jaywilwk 2013-10-28T19:29:33Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118385#M1783 <P>Ok. </P> <P><CODE>| metadata type=hosts | eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen</CODE></P> <P>?</P> Mon, 28 Oct 2013 19:31:15 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118385#M1783 kristian_kolb 2013-10-28T19:31:15Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118386#M1784 <P>Ok, this one shows everything. It doesn't just show ones that are not loggin or down. Is it possible to show only the ones that are down or not logging.</P> Mon, 28 Oct 2013 19:37:48 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118386#M1784 jaywilwk 2013-10-28T19:37:48Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118387#M1785 <P>well, yes, that is the purpose of the <CODE>where</CODE> statement in the original query. However, does <CODE>lastSeen</CODE> for your 'missing' host seem correct?</P> Mon, 28 Oct 2013 20:14:03 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118387#M1785 kristian_kolb 2013-10-28T20:14:03Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118388#M1786 <P>Yes it worked.</P> Mon, 28 Oct 2013 20:18:13 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118388#M1786 jaywilwk 2013-10-28T20:18:13Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118389#M1787 <P>I know this is a bit dated, but I was interested in finding hosts that "suddenly stop reporting to splunk" and I found this answer.</P> <P>When I run this search everything looks fine, and it makes sense. But I decided to test this by issuing a stop command on one of my forwarding agents. That device no longer shows up in the list at all instead of showing up with a "down" status. </P> <P>Can anyone take a stab at why that would happen? (I haven't altered the search except to add seconds where there are XXX's)</P> Thu, 28 Aug 2014 15:05:12 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118389#M1787 thelen_m_kevin 2014-08-28T15:05:12Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118390#M1788 <P>Did it show the host before you put it down (with same search)? The query depends on existence of fields hostname OR sourceHost from the events from that host (its used in stats so if either of the field is null they won't show up.</P> Thu, 28 Aug 2014 15:30:34 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118390#M1788 somesoni2 2014-08-28T15:30:34Z https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118391#M1789 <P>@somesoni2, do we to run your search on Indexer? When I tried running this on one of my search head, I was getting status of my splunk servers but not forwarders?</P> Thu, 10 Nov 2016 15:42:46 GMT https://community.splunk.com/t5/Alerting/Alert-or-Show-when-a-host-is-down-from-any-index/m-p/118391#M1789 splunker9999 2016-11-10T15:42:46Z