https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277241#M83611 <P>shouldn't that read <CODE>| where IndexerDown=0 AND ForwarderUp=0</CODE> ?</P> Wed, 10 Feb 2016 00:17:30 GMT s2_splunk 2016-02-10T00:17:30Z https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277239#M83609 <P>We have a lot of searches that run to ensure we are receiving data from a Splunk forwarder and that it is still running. To do this, we have a search set up for each forwarder checking against the internal logs:</P> <PRE><CODE>index="_internal" source="*metrics.log" group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | search sourceHost="phpdbo01" </CODE></PRE> <P>The above alerts us when the forwarder phpdbo01 is down/not sending information back to indexers. One of the issues we have is that we want to have a default message come through, if Splunk attempts to run a search and the indexers are down, we would like for a message such as <EM>"Splunk indexers are down please resubmit your search once they come back up"</EM>, because in many cases, as with the alert above, we are looking for an absence of data to trigger an alert. When the above search runs and the indexers are down, Splunk returns 0 results and so sends out an alert that the phpdbo01 forwarder is down. I was trying to work with the below, but I am not having a great deal of luck:</P> <PRE><CODE>index="_internal" source="*splunkd.log" host="pl-wlmsplpp01" "Unable to distribute to peer named" | rex field=_raw "Unable to distribute to peer named (?.*):\d+ at " | eval status=if(indexer=="pl-wlmsplpp04" OR indexer=="pl-wlmsplpp03","Down","Up") | eval search_result = if(status!="Down",[search index="_internal" source="*metrics.log" group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | search sourceHost="phpdbo01"], "Indexer is down. please run search again at a later date") | table search_result </CODE></PRE> <P>Unfortunately, I have been unable to get the above working. Can anyone help or have you already done something similar that could be adapted?</P> Tue, 09 Feb 2016 16:15:58 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277239#M83609 mookiie2005 2016-02-09T16:15:58Z https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277240#M83610 <P>Try something like this</P> <PRE><CODE>| rest /services/search/distributed/peers splunk_server=local | where status!="Up" | stats count as IndexerDown | appendcols [search index="_internal" source="*metrics.log" group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | search sourceHost="phpdbo01" | stats count as ForwarderUp] | where IndexerDown&gt;0 OR ForwarderUp&gt;0 </CODE></PRE> <P>So this will give alert only when both IndexerDown=0 (means all indexers are up) and ForwarderUp=0 (means no event from Forwarder)</P> Tue, 09 Feb 2016 17:11:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277240#M83610 somesoni2 2016-02-09T17:11:02Z https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277241#M83611 <P>shouldn't that read <CODE>| where IndexerDown=0 AND ForwarderUp=0</CODE> ?</P> Wed, 10 Feb 2016 00:17:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-suppress-an-alert-when-indexer-s-are-down/m-p/277241#M83611 s2_splunk 2016-02-10T00:17:30Z