All Apps and Add-ons

"pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

saurabh_tek
Communicator

I am trying to write a query which shall suggest me when was the last log sent by a host and whether that host is pingable or down.

Here is my query -

| metadata type=hosts | pingstatus url as host | where recentTime < now() -180 | eval lastseen = strftime (recentTime, "%F %T") | fields + host lastseen pingdelay | sort - lastseen

pingstatus command should work but not working, may be i am doing wrong.

@ndoshi could you please correct me where i am wrong and help me optimize this query to achiheve the desired result.

0 Karma

neelamsantosh
Path Finder

Use hostname+domain_name or else use the IP to get the ping results.
How to get the host_domain name: see in DHCP logs under dns_hostname filed
or else get the IP from either of the sourcetypes and search using |ping $host$.group.local

0 Karma

gcusello
SplunkTrust
SplunkTrust

To know if an host is connected or not you could use this simple search

index=_internal | dedup host | table host

in this way you always know if an host is up, but in this way you haven't information about hosts not connected.

To a have a compete situation, you have to compile a lookup (e.g. perimeter.csv) with all you hosts and then use a search like this:

| inputlookup perimeter.csv | eval count=0 | append [ search index=_internal | stats count by host ] | stats sum(count) AS Total by host

in this way:

  • if Total=0 host is not connected,
  • if Total>0 host is connected

In addition you could also give a range to your result and show it in graphic mode:
copy the following files in $SPLUNK_HOME/etc/apps/yourapp/appserver/static

  • table_icons_rangemap.js
  • table_decorations.css

files that you can find in App Dashboard Examples (https://splunkbase.splunk.com/app/1603/9) custom_table_icon_set_rangemap.

add at the end of your search

| rangemap field=Somma severe=0-0 low=1-1000000000 default=severe

and at the first row of your dashboard

<form script="table_icons_rangemap.js stylesheet="table_decorations.css">

Bye.
Giuseppe

0 Karma

jkat54
SplunkTrust
SplunkTrust

Sounds like a DNS issue. Do you have the ability to change the host names to up addresses and then test?

0 Karma

ddrillic
Ultra Champion

Sorry, but it's not clear. Did you set as @ndoshi suggested the pingstatus command? at pingstatus command: Why am I getting "Unknown command 'pingstatus'" trying to set up an alert?

It says -

alt text

0 Karma

saurabh_tek
Communicator

yes i have properly configured above steps. and i have observed that :

pingstatus command is working for the case where - (if i manually ping the machine xyz, the result is)- "Ping request could not find host xyz. Please check the name and try again."
(by the way the name of machines are correct in my case)

whereas if the result on manual ping is - "destination host unreachable" - ping status command is not showing those hosts ( even when my base query is index=* host=*).

0 Karma

saurabh_tek
Communicator

Splunk version 6.4

0 Karma

saurabh_tek
Communicator

another thing what i have observed is -

pingstatus command is working for the case where (if i manually ping the machine xyz, the result is)- "Ping request could not find host xyz. Please check the name and try again."
(by the way the name of machines are correct in my case)

whereas if the result on manual ping is - "destination host unreachable" - ping status command is not showing those hosts ( even when my base query is index=* host=*).

@ndoshi, this might sound a question from novice but i accept that i am not pro. please suggest. TIA.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...