topic Re: How to count the number of times Splunk is restarted. in Splunk Search

How to count the number of times Splunk is restarted.

kamal_jagga — Tue, 09 Jun 2015 19:05:58 GMT

Hi,

I want to create a metrics of Count of the following things.
1. Splunk restarts done from UI.
2. Splunkd restarts done.
3. Splunk Forwarder restarts.

Kindly advise.

Re: How to count the number of times Splunk is restarted.

kamal_jagga — Tue, 09 Jun 2015 22:40:35 GMT

Also, how to find out the metrics for search head restarts.

Any help is appreciated.

Re: How to count the number of times Splunk is restarted.

MichaelPriest — Wed, 10 Jun 2015 07:34:33 GMT

Have a look in the audit index, index="_audit" and look at the action field

Re: How to count the number of times Splunk is restarted.

fdi01 — Mon, 28 Sep 2020 20:12:29 GMT

you seeing many action=restart_splunkd messages from your "_audit" index .

try like:

index="_audit" host="host_you_want" | stats count(eval(action="restart_splunkd")) as "number of times Splunkd is restarted"

...

Re: How to count the number of times Splunk is restarted.

yannK — Wed, 10 Jun 2015 11:17:28 GMT

to see if splunk is up, I look at the events

index=_internal source=*splunkd.log*  "(build"

but sometimes, you can see 2 close events for a single restart. So if you want the exact count you can add add a bucket per minute and dedup.

Re: How to count the number of times Splunk is restarted.

kamal_jagga — Mon, 28 Sep 2020 20:12:43 GMT

Thanks it provided me the count.
But i found that there are multiple entries for the same restart with gap of milliseconds.
Query :index="_audit" action="restart_splunkd"

Is it possible that we can put some filter/condition where it counts the event only if there is a gap, say 2 mins between them.

Re: How to count the number of times Splunk is restarted.

kamal_jagga — Wed, 10 Jun 2015 20:53:47 GMT

Hey,

How can i add a bucket of a min or 2 and dedup.

Would you be able to give the exact query string.

Re: How to count the number of times Splunk is restarted.

kamal_jagga — Mon, 28 Sep 2020 20:12:49 GMT

Also, when i see the results of the following query.

index=_internal splunkd.log "start"

I see 2 source types.
sourcetype=splunkd_remote_searches
and other
sourcetype=splunkd coming from splunkforwarder.

is this the standard format.
And which one is for the splunkd.

And also want to know how to find out the splunk restarts done from Splunk UI. (I just not restarted splunk from UI and don't see that in the above mentioned splunkd restarts)

Kindly advise.

Re: How to count the number of times Splunk is restarted.

kamal_jagga — Wed, 10 Jun 2015 21:25:55 GMT

Also,
When i used your query, i found some extra events also. So, i modified it to the below one.

index=_internal source=splunkd.log "Splunkd starting (build 245427)."

Now, would you be able to suggest how to count the number of events that come from this search.

Thanks

Re: How to count the number of times Splunk is restarted.

jeffland — Thu, 11 Jun 2015 06:21:21 GMT

That's exactly what yannK suggested - bucketing time and deduping. Going from the above search, that would be

index="_audit" action="restart_splunkd" | bucket _time span=2m | dedup _time | stats count as "number of times Splunkd is restarted"

(Or you leave action="restart_splunkd" in stats count, however you prefer it - although this should be faster)

Re: How to count the number of times Splunk is restarted.

splunker12er — Mon, 28 Sep 2020 20:13:08 GMT

index=_internal source=splunkd.log "(build"| timechart span=1m values(_raw) as Event

index=_internal source=splunkd.log "(build"| dedup _raw|table _raw,_time

Re: How to count the number of times Splunk is restarted.

fdi01 — Thu, 11 Jun 2015 08:13:38 GMT

if you ok for answer, you can vote up or accept answer.
to see where it counts the event only if there is a gap, say 2 mins between them.
see what Mr jeffland: doing down in comment.
and you can add by _time in stats to more see.
ex: index="_audit" action="restart_splunkd" | bucket _time span=2m | dedup _time | stats count as "number of times Splunkd is restarted" by _time

thank. Mr kamal_jagga

Re: How to count the number of times Splunk is restarted.

dsmc_adv — Wed, 11 May 2016 09:28:26 GMT

This search does not return valid results for me, the one from yannk it does

Re: How to count the number of times Splunk is restarted.

dsmc_adv — Wed, 11 May 2016 09:28:53 GMT

I downvoted this post because it doesn't return all the values