https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685332#M233841 <P>Just in a situation where I have 2 servers, where 1 is active and the other is passive. I had to deploy the TA on both the servers and report the service status of a service.<BR /><BR />So the active server would be reporting the service is "Running" and the passive server would say the service is "stopped"<BR /><BR />I have tried writing up a SPL but my only worry is if there is a situation when the service stops on the active server how to get it reported. or if there is no data from the active server. There should be atleast 1 server reporting the service is "Running" always. Only during the DR situation the server name would change<BR /><BR /></P><LI-CODE lang="markup">index=mday source="service_status.ps1" sourcetype=service_status os_service="App_Service" host=*papp01 | stats values(host) AS active_host BY status | where status=="Running" | append [ search index = mday source =service_status.ps1 sourcetype = service_status os_service="App_Service" host=*papp01 | stats latest(status) AS status by host,os_service,service_name ] | filldown active_host | where active_host=host AND status!="Running" | table host,active_host,os_service,service_name,status</LI-CODE><P>&nbsp;</P><P>Any help is much appreciated</P> Wed, 24 Apr 2024 14:09:30 GMT ashraf_sj 2024-04-24T14:09:30Z https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685332#M233841 <P>Just in a situation where I have 2 servers, where 1 is active and the other is passive. I had to deploy the TA on both the servers and report the service status of a service.<BR /><BR />So the active server would be reporting the service is "Running" and the passive server would say the service is "stopped"<BR /><BR />I have tried writing up a SPL but my only worry is if there is a situation when the service stops on the active server how to get it reported. or if there is no data from the active server. There should be atleast 1 server reporting the service is "Running" always. Only during the DR situation the server name would change<BR /><BR /></P><LI-CODE lang="markup">index=mday source="service_status.ps1" sourcetype=service_status os_service="App_Service" host=*papp01 | stats values(host) AS active_host BY status | where status=="Running" | append [ search index = mday source =service_status.ps1 sourcetype = service_status os_service="App_Service" host=*papp01 | stats latest(status) AS status by host,os_service,service_name ] | filldown active_host | where active_host=host AND status!="Running" | table host,active_host,os_service,service_name,status</LI-CODE><P>&nbsp;</P><P>Any help is much appreciated</P> Wed, 24 Apr 2024 14:09:30 GMT https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685332#M233841 ashraf_sj 2024-04-24T14:09:30Z https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685480#M233891 <P>There are multiple methods to achieve this. However, lets first try it in a simpler way</P><LI-CODE lang="markup">index=mday source="service_status.ps1" sourcetype=service_status os_service="App_Service" host=*papp01 |stats latest(status) AS status by host |eventstats values(status) as _status |eval OverallStatus=if(mvcount(_status) &lt; 2 OR isnull(mvfind(_status,"Running")),"Down","Good")</LI-CODE><P>Steps</P><P>- count the status values</P><P>- If the count is less than 2&nbsp; : meaning only one of the status from Running/Stopped is present</P><P>- OR Running status is not available, we are setting the overall status as down.</P><P>In this way, we can handle multiple situations where one of the server is down or both are reporting down or even both are reporting Running (active &amp; passive)</P><P>Demonstrated with a dummy search</P><LI-CODE lang="markup">|makeresults|eval host="HostA",status="Running" |append[|makeresults|eval host="HostB",status="Stopped"] |stats latest(status) as status by host |eventstats values(status) as _status |eval OverallStatus=if(mvcount(_status) &lt; 2 OR isnull(mvfind(_status,"Running")),"Down","Good")</LI-CODE><P>Try changing the status of HostA or HostB and see the results.</P><P>&nbsp;</P> Thu, 25 Apr 2024 13:59:49 GMT https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685480#M233891 renjith_nair 2024-04-25T13:59:49Z https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685775#M233977 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/136781">@renjith_nair</a>&nbsp;, this works, I have used the&nbsp;OverallStatus as condition to alert. Thanks a lot and much appreciated.&nbsp;</P> Mon, 29 Apr 2024 08:10:17 GMT https://community.splunk.com/t5/Splunk-Search/service-status-of-a-service-including-Disaster-Recovery/m-p/685775#M233977 ashraf_sj 2024-04-29T08:10:17Z