I am trying to write a query which shall suggest me when was the last log sent by a host and whether that host is pingable or down.
Here is my query -
| metadata type=hosts | pingstatus url as host | where recentTime < now() -180 | eval lastseen = strftime (recentTime, "%F %T") | fields + host lastseen pingdelay | sort - lastseen
pingstatus command should work but not working, may be i am doing wrong.
@ndoshi could you please correct me where i am wrong and help me optimize this query to achiheve the desired result.
Use hostname+domain_name or else use the IP to get the ping results.
How to get the host_domain name: see in DHCP logs under dns_hostname filed
or else get the IP from either of the sourcetypes and search using |ping $host$.group.local
To know if an host is connected or not you could use this simple search
index=_internal | dedup host | table host
in this way you always know if an host is up, but in this way you haven't information about hosts not connected.
To a have a compete situation, you have to compile a lookup (e.g. perimeter.csv) with all you hosts and then use a search like this:
| inputlookup perimeter.csv | eval count=0 | append [ search index=_internal | stats count by host ] | stats sum(count) AS Total by host
in this way:
In addition you could also give a range to your result and show it in graphic mode:
copy the following files in $SPLUNK_HOME/etc/apps/yourapp/appserver/static
files that you can find in App Dashboard Examples (https://splunkbase.splunk.com/app/1603/9) custom_table_icon_set_rangemap.
add at the end of your search
| rangemap field=Somma severe=0-0 low=1-1000000000 default=severe
and at the first row of your dashboard
<form script="table_icons_rangemap.js stylesheet="table_decorations.css">
Bye.
Giuseppe
Sounds like a DNS issue. Do you have the ability to change the host names to up addresses and then test?
Sorry, but it's not clear. Did you set as @ndoshi suggested the pingstatus
command? at pingstatus command: Why am I getting "Unknown command 'pingstatus'" trying to set up an alert?
It says -
yes i have properly configured above steps. and i have observed that :
pingstatus command is working for the case where - (if i manually ping the machine xyz, the result is)- "Ping request could not find host xyz. Please check the name and try again."
(by the way the name of machines are correct in my case)
whereas if the result on manual ping is - "destination host unreachable" - ping status command is not showing those hosts ( even when my base query is index=* host=*).
Splunk version 6.4
another thing what i have observed is -
pingstatus command is working for the case where (if i manually ping the machine xyz, the result is)- "Ping request could not find host xyz. Please check the name and try again."
(by the way the name of machines are correct in my case)
whereas if the result on manual ping is - "destination host unreachable" - ping status command is not showing those hosts ( even when my base query is index=* host=*).
@ndoshi, this might sound a question from novice but i accept that i am not pro. please suggest. TIA.