Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Checking for forwaders if not reporting to indexers

splunker9999
Path Finder
‎08-10-2016 11:27 AM

Hi,

We have below search running to check if any forwarder is missing for the last 15 mins.
Here below we are running across index=*, if so we are getting an error message as below:

Error in 'metadata': No 'host' key found in results. Cannot merge metadata.

Incase If I run below query only for index=_internal, search is running good,inorder to check if forwader is missing do we need to check all indexes or _internal would be fine?

|metadata type=hosts index=*
| where (now()-recentTime<7200) 
| stats count by host recentTime]
| stats count by host recentTime
| rex field=host "(?P<hostname>[^.]+)" 
| eval hostname=lower(hostname)
| eval sourceHost=hostname
| eval connectionType="universal forwarder"
| eval arch="undefined"
| eval lastReceived = recentTime
| eval lastConnected=recentTime
| eval KB = round(1000, 4)
| eval eps = round(100, 4)
| eval os= case(like(sourceHost,"l%"), "Linux",like(sourceHost,"W%"), "Windows", like(sourceHost,"w%"), "Windows", like(sourceHost,"s%"), "Solaris", like(sourceHost,"S%"), "Solaris", 1=1,"Other")
| eval mystatus = if(lastConnected<(now()-100),"quiet","dunno")
| eval status = if(lastConnected<(now()-900),"missing",if(mystatus="quiet","quiet","active"))

Thanks

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-12-2016 12:10 PM

Enable the DMC Alert - Missing Forwarders:

http://docs.splunk.com/Documentation/Splunk/6.4.2/DMC/Platformalerts

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 12:02 PM

Try this

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

Save the search as an alert and set the timeframe to 15 minutes, it will do exactly what your asking for

Reply

splunker9999
Path Finder
‎08-10-2016 12:11 PM

Hi,
If we use search with index=_internal does this gives us results for all forwarders or it gives us only that forward to internal indexes ?

If it gives only forwarders that reports to _internal ,what should be the case if we need to find for all other indexes?

Thanks

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-11-2016 10:24 AM

Did this query work for you?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2016 12:14 PM

It will return ALL forwarders regardless of what index they are in. Try running the search

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-10-2016 12:00 PM

Assuming you forward your internal indexes, the _internal search should be fine.

Metadata isnt always what you want to use though... you might try searching just index=_internal for some of these things instead of using |metadata

0 Karma
Reply

pradeepkumarg
Influencer
‎08-10-2016 11:59 AM

You don't need the index filter at all. It should just run fine with |metadata type=hosts

0 Karma
Reply

splunker9999
Path Finder
‎08-10-2016 12:07 PM

Yeah we tried using this, we are facing same error message when tried this.

 Error in 'metadata': No 'host' key found in results. Cannot merge metadata.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...