topic Idle log in Splunk Search

Idle log

saotaigiri — Wed, 24 Jun 2020 19:44:07 GMT

i need script in SPL to show when there is an idle forwarder or if a forwarder isn't forwarding

Re: Idle log

richgalloway — Wed, 24 Jun 2020 19:46:44 GMT

The Monitoring Console has an alert for that. Go to Settings->Monitoring Console->Settings->Alerts setup and look for "DMC Alert - Missing forwarders".

Re: Idle log

saotaigiri — Wed, 24 Jun 2020 19:50:44 GMT

It is greyed out, should i enable it?

Re: Idle log

richgalloway — Wed, 24 Jun 2020 20:07:38 GMT

If you want to receive alerts about missing forwarders then, yes, you should enable it.

Re: Idle log

saotaigiri — Fri, 26 Jun 2020 15:51:56 GMT

Hello,

The server was turned off to test if the alert would work but t did not work. Please what can I do to get an alert where the forwarder is not getting any data

Re: Idle log

richgalloway — Fri, 26 Jun 2020 17:53:54 GMT

"It did not work" doesn't help narrow the problem.
An alternative to the DMC alert is to create your own search for forwarder data. Save the search as an alert and have the alert trigger when the number of results is zero.

Re: Idle log

saotaigiri — Mon, 29 Jun 2020 18:36:15 GMT

Thanks for your reply, please could help to write the SPL query. I am not good at writing SPL queries.

Re: Idle log

richgalloway — Mon, 29 Jun 2020 20:53:06 GMT

I can help. What do you have so far?

Re: Idle log

saotaigiri — Tue, 30 Jun 2020 17:58:24 GMT

The query below is what I am using but it doesn't seem to work. Please can you look at it and if possible tweak to the correct one.

I am looking to get an alert when a server or host meant to be feeding Splunk goes down. Thanks

Re: Idle log

richgalloway — Tue, 30 Jun 2020 19:02:15 GMT

That rest command will get you the status of your Splunk instances (indexers, search heads, etc), but not your forwarders

Try this query I found in the Splunk Security Essentials app. You should modify the index and sourcetype parameters to suit for environment.

| tstats prestats=t count(host) where index=* groupby host _time span=1d | tstats prestats=t append=t count where index=* sourcetype=* by host _time span=1d | stats count(host) as all_logs count as win_logs by host _time | eval win_perc=round(100*(win_logs / all_logs), 2) | eventstats max(_time) as maxtime | stats count as num_data_samples avg(eval(if(_time<relative_time(maxtime, "-1d@d"), win_perc, null))) as avg sum(eval(if(_time<relative_time(maxtime, "-1d@d") AND win_perc=0, 1, null))) as past_instances_of_no_logs max(eval(if(_time>=relative_time(maxtime, "-1d@d"), win_perc, null))) as latest by host | where isnotnull(avg) AND num_data_samples>10 AND isnull(past_instances_of_no_logs) AND latest=0