What type alert we can setup to monitor Spunk envi...

raomu · ‎01-19-2018

What type alert we can setup to monitor Spunk environment - We are using Splunk managed cloud services.

adonio · ‎01-21-2018

if i understand you correctly, you would like to have an alert telling you whether one of your 3 UF or 2 HF are down and nor sending data to the cloud?
if this is the case, you can create something like that:

| tstats count as event_count where index=* OR index=_* AND (host=UF1 OR host=UF2 OR host=UF3 OR host=HF1 OR host=HF2) by host

if you have count=0 it means that the particular forwarder did not send data in the time range specified and worthwhile to check it.
there are many other ways to alert on this situation but i think its a good start.

hope it helps

adonio · ‎01-20-2018

what is it that you would like to be alerted on?

raomu · ‎01-21-2018

I have 3 UF ( all UF are fwd data to these 3 UF) and 2 heavy FWD for which I need to put alert for.

What type alert we can setup to monitor Spunk environment - We are using Splunk managed cloud services.

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

What type alert we can setup to monitor Spunk environment - We are using Splunk managed cloud services.

Splunk Observability for AI

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk