All Apps and Add-ons
Highlighted

"pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Communicator

I am trying to write a query which shall suggest me when was the last log sent by a host and whether that host is pingable or down.

Here is my query -

| metadata type=hosts | pingstatus url as host | where recentTime < now() -180 | eval lastseen = strftime (recentTime, "%F %T") | fields + host lastseen pingdelay | sort - lastseen

pingstatus command should work but not working, may be i am doing wrong.

@ndoshi could you please correct me where i am wrong and help me optimize this query to achiheve the desired result.

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Communicator

Splunk version 6.4

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Communicator

another thing what i have observed is -

pingstatus command is working for the case where (if i manually ping the machine xyz, the result is)- "Ping request could not find host xyz. Please check the name and try again."
(by the way the name of machines are correct in my case)

whereas if the result on manual ping is - "destination host unreachable" - ping status command is not showing those hosts ( even when my base query is index=* host=*).

@ndoshi, this might sound a question from novice but i accept that i am not pro. please suggest. TIA.

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Ultra Champion

Sorry, but it's not clear. Did you set as @ndoshi suggested the pingstatus command? at pingstatus command: Why am I getting "Unknown command 'pingstatus'" trying to set up an alert?

It says -

alt text

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Communicator

yes i have properly configured above steps. and i have observed that :

pingstatus command is working for the case where - (if i manually ping the machine xyz, the result is)- "Ping request could not find host xyz. Please check the name and try again."
(by the way the name of machines are correct in my case)

whereas if the result on manual ping is - "destination host unreachable" - ping status command is not showing those hosts ( even when my base query is index=* host=*).

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

SplunkTrust
SplunkTrust

Sounds like a DNS issue. Do you have the ability to change the host names to up addresses and then test?

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Legend

To know if an host is connected or not you could use this simple search

index=_internal | dedup host | table host

in this way you always know if an host is up, but in this way you haven't information about hosts not connected.

To a have a compete situation, you have to compile a lookup (e.g. perimeter.csv) with all you hosts and then use a search like this:

| inputlookup perimeter.csv | eval count=0 | append [ search index=_internal | stats count by host ] | stats sum(count) AS Total by host

in this way:

  • if Total=0 host is not connected,
  • if Total>0 host is connected

In addition you could also give a range to your result and show it in graphic mode:
copy the following files in $SPLUNK_HOME/etc/apps/yourapp/appserver/static

  • tableiconsrangemap.js
  • table_decorations.css

files that you can find in App Dashboard Examples (https://splunkbase.splunk.com/app/1603/9) customtableiconsetrangemap.

add at the end of your search

| rangemap field=Somma severe=0-0 low=1-1000000000 default=severe

and at the first row of your dashboard

<form script="table_icons_rangemap.js stylesheet="table_decorations.css">

Bye.
Giuseppe

0 Karma
Highlighted

Re: "pingstatus command" use for last seen hosts - to ensure host availability and detection of no log sent

Path Finder

Use hostname+domainname or else use the IP to get the ping results.
How to get the host
domain name: see in DHCP logs under dns_hostname filed
or else get the IP from either of the sourcetypes and search using |ping $host$.group.local

0 Karma