Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare a list of hosts from a week to another

mataharry
Communicator
‎05-03-2011 10:37 AM

I want to check every hour iIf my forwarders are sending data constantly to my indexer, to setup an alert.
I am using metrics.log to measure the thruput traffic but it returns only the last hosts sending data, the one not sending data are not even mentioned.
How to compare that to the complete list of my hosts ?

Can I use metadata, or summary searches, lookups ?

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2011 10:42 AM

Hi, you can use anything you want, but a simple method is to store a recent list of your hosts in a lookup table.

EDIT : metrics.log only store results for the top 10 hosts/source/sourcetype, this solution is not suitable for large number of hosts/forwarders.

  • schedule one search running weekly and to generate a lookup table with the list of hosts (with in that case the sum of all the traffic of the week)


    
index=_internal group="per_host_thruput" earliest=-14d@d latest=-7d@d  | eval mb=kb/1024 | stats sum(mb) as traffic_mb_lastweek by series | outputlookup traffic_mb_lastweek.csv

  • schedule a search running every hour, after 5 minutes of delay (cron = 5 * * * *) and comparing to the list of the lookup.


    
index=_internal group="per_host_thruput" earliest=-1h@d latest=@h  | eval mb=kb/1024  | stats sum(mb) as traffic_mb by series | appendcols [|inputlookup traffic_mb_lastweek.csv]

then you can add some conditions depending of your thresholds, by example look for hosts with no traffic if the traffic is usually significant.



| Where isnull(traffic_mb) AND traffic_mb_lastweek > 1

View solution in original post

Reply
Solved! Jump to solution

Kellhart
Engager
‎06-24-2015 07:22 AM

This is interesting but how about the number of servers that appear in the forwarder management list but have never sent data? They have a forwarder but since they are not generating the data we look for (via white lists) we never can report on them. Can Splunk not retrieve the forwarder management list and use that for lookup?

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎05-03-2011 10:42 AM

Hi, you can use anything you want, but a simple method is to store a recent list of your hosts in a lookup table.

EDIT : metrics.log only store results for the top 10 hosts/source/sourcetype, this solution is not suitable for large number of hosts/forwarders.

  • schedule one search running weekly and to generate a lookup table with the list of hosts (with in that case the sum of all the traffic of the week)


    
index=_internal group="per_host_thruput" earliest=-14d@d latest=-7d@d  | eval mb=kb/1024 | stats sum(mb) as traffic_mb_lastweek by series | outputlookup traffic_mb_lastweek.csv

  • schedule a search running every hour, after 5 minutes of delay (cron = 5 * * * *) and comparing to the list of the lookup.


    
index=_internal group="per_host_thruput" earliest=-1h@d latest=@h  | eval mb=kb/1024  | stats sum(mb) as traffic_mb by series | appendcols [|inputlookup traffic_mb_lastweek.csv]

then you can add some conditions depending of your thresholds, by example look for hosts with no traffic if the traffic is usually significant.



| Where isnull(traffic_mb) AND traffic_mb_lastweek > 1

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-24-2014 12:58 PM

You can also use |metadata command to get the list of forwarders sending to indexer and when was the last time they sent data. Note: if you're interested in knowing the amount of data being sent at an interval, this will not work. It shows the total amount of data.

|metadata type=hosts index=* | convert ctime(lastTime) as lastTime ctime(recentTime) as recentTime ctime(firstTime) as firstTime

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎04-24-2014 12:52 PM

Then do not use metrics, and instead search the actual data,
It can a higher load, so restrict well the timerange.

0 Karma
Reply
Solved! Jump to solution

di2esysadmin
Path Finder
‎04-24-2014 12:49 PM

What is the solution then for a larger number of hosts?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-04-2011 04:32 PM

You are right, the metrics.log only store metrics store the top 10 hosts. This is search will not work for a large deployment.0

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎05-04-2011 06:45 AM

Will this work as expected? According to gkanapathy, per_host_thruput only has the top 10 hosts: http://splunk-base.splunk.com/answer_link/23635/

Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...