How to check since when the nodes are down under o...

aj2551988 · ‎07-13-2018

Hello,

I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN,

I opened the search for the nodes which are down and it showed below query -

host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.😞 (?.😞 DOWN: (?.*)" | dedup hostname host

The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs.

I want to also see since when the nodes are down.

Is there any way we can check it?

![alt text][1] ![alt text][2]

[1]: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.
[2]: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN

woodcock · ‎07-15-2018

Your rex is doing nothing so fix it or drop it. Maybe this?

host=smon* "nagios: HOST_PROBLEM:" "DOWN" 
| dedup hostname host
| table _time hostname host

renjith_nair · ‎07-13-2018

Hi @aj2551988,

Try

    host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)" |stats latest (_time) as last_seen by host,hostname

Happy Splunking!

aj2551988 · ‎07-16-2018

Hello,

When Tried the above query, it is giving the error -

"Error in 'rex' command: Encountered the following error while compiling the regex 'nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)': Regex: unrecognized character after (? or (?-"

And

"The search job has failed due to an error. You may be able view the job in the Job Inspector."

renjith_nair · ‎07-16-2018

Your rex seems to be wrong. What you need to extract ? If you only host and hostname , you might not need that. If you need to extract something, post a sample event

Happy Splunking!

How to check since when the nodes are down under one particular FQDN

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor