Hi,
Looking at the Broken Hosts App for Splunk, but there isn't any real documentation on it. Is it available? Or examples? I enabled it with defaults, and it alerted on a bunch of hosts, but that didn't make sense to me, given the contents of the default lookup file.
Documentation has been updated on splunkbase:
https://splunkbase.splunk.com/app/3247/#/details
Also, the version 3.2.0 has been released, and has an updated README.md.
It also makes the app install process easier, especially for search head clusters.
Please take a look at this updated documentation, and let me know if there are still questions about this app.
Thanks for the update. Works as expected. Documentation appreciated. Great work
Sorry for the delayed response:
README.md
file that is in the app. This is has more information.Let me know if this helps, or if you have any additional questions that I can help with.
@tlmayes - The current version is not "visible" since there are not really any dashboards in the app. (The next version will be "visible", and will have a dashboard).
The goal of this app is to alert you when data stops coming into splunk. The app setup screen doesn't seem to work properly in clustering, so you will probably need to update the macros manually (this issue will be fixed in the next release).
The "default_contact" macro is the primary macro that you'll want to update. Change this to the email address that you want to send the alerts to.
Be aware that you might get a rather large email every hour until you update the "expectedTime" lookup table.
Let me know if there are any additional questions about this as you continue to work though the tuning process.
I hope to provide better documentation in the next release also.
The app page references a setup page. Was that not in there and no README in it?
Other than that, I guess we defer to the app author at Hurricane?
I was asked to install this app in our enterprise environment. Did so, as well as installed in lab for testing/validation. App does not show up in "visible" apps in either environment, even though is set to "visible". Followed the README for both (since one is clustered and uses App distribution).
So, stupid question. What is it supposed to do? I get a search bar, and access to lookups (specifically expectedTime.csv (with no data))
I'll check for a README. That said, an app shouldn't be considered certified without proper doc and examples...