i have four servers and how to send alert when servers is down using inputlookup?


created lookup xx.csv i added four servers in the lookup file

| inputlookup xx.csv | eval count=0| table Host count| append [search[| inputlookup xx.csv]| stats count by Host]| stats sum(count) as Count by Host| where Count = 0
Tags (2)
0 Karma

Esteemed Legend

Like this:

| metadata type=hosts index=<YourIndexName>
| appendpipe [|inputlookup xxx.csv | eval lastTime = 0]
| dedup host
| eval lastDataDuration=(now()-lastTime)/60
| where lastDataDuration>YourThreshHoldIntegerNumberOfMinutesHere


There could be several streamlined methods of finding out if a host is down or is not sending events. Following are couple of those:

Using metadata command for scenario where your Host is running but Data is not getting in to SPLUNK (Created alert for a periodic schedule and time range like last 15 min etc)

| metadata type=hosts index=_internal
| eval lastEventDuration=(now()-lastTime)/60
| where lastDuration>15

Using REST API (provided you have access) for situation where host itself is down which would stop pinging Splunk server:

| rest /service/deployment/server/clients
| eval lastPingDuration=(now()-lastTime)/60
| where lastPingDuration>15
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...