topic Re: Search for peers with status=down in Splunk Search

Search for peers with status=down

pc1 — Fri, 08 Oct 2021 15:41:37 GMT

What search can I do to find peers with status=down. Looking to form an alert when this happens but can't find it within a search.

Re: Search for peers with status=down

Stefanie — Fri, 08 Oct 2021 17:02:12 GMT

Are you looking for hosts with forwarders installed that havent reported to Splunk in some time?

You can use the Monitoring Console to view that. To view the missing hosts, you can click on the Forwarders tab and then Forwarders: Deployment.

For an alert, go to the Monitoring Console -> Settings -> Alerts Setup. There is an alert named DMC Alert - Missing Forwarders.

Note: A forwarder shows a status of "missing" if it has not connected to indexers within 15 minutes

Re: Search for peers with status=down

somesoni2 — Fri, 08 Oct 2021 17:11:14 GMT

Splunk Monitoring console (formally known as DMC) has alert "DMC Alert - Search Peer Not Responding" which does the same thing. It basically runs following search:

| rest splunk_server=local /services/search/distributed/peers/ | where status!="Up" | fields peerName, status | rename peerName as Instance, status as Status

Re: Search for peers with status=down

pc1 — Fri, 08 Oct 2021 20:26:52 GMT

Yup, found this preexisting alert and was able to edit the Actions on it to integrate with the Slack Notifications add-on. Runs every 5 minutes to check if the server is down so this works perfectly for me. Thanks for the help!

Re: Search for peers with status=down

net_id — Mon, 15 Apr 2024 07:24:06 GMT

Anyone coming here should know that in 9.2.0.1 this does not work any more.
Look at dmc_instances_view_default_search macro for how the monitoring console does it now.