Dashboards & Visualizations

How to check since when the nodes are down under one particular FQDN

aj2551988
New Member

Hello,

I have a Splunk dashboard, wherein I can see there are multiple nodes down under multiple FQDN,

I opened the search for the nodes which are down and it showed below query -

host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.😞 (?.😞 DOWN: (?.*)" | dedup hostname host

The above query resulted in multiple nodes down but the result shows aggregated results for all the FQDNs.

I want to also see since when the nodes are down.

Is there any way we can check it?

![alt text][1] ![alt text][2]

[1]: /storage/temp/252199-2.jpg // showing the actual total number of nodes down.
[2]: /storage/temp/252198-1.jpg // showing the nodes which are under for the perticular FQDN

0 Karma

woodcock
Esteemed Legend

Your rex is doing nothing so fix it or drop it. Maybe this?

host=smon* "nagios: HOST_PROBLEM:" "DOWN" 
| dedup hostname host
| table _time hostname host
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Hi @aj2551988,

Try

    host=smon* "nagios: HOST_PROBLEM:" "DOWN" | rex field=_raw "nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)" |stats latest (_time) as last_seen by host,hostname 
Happy Splunking!
0 Karma

aj2551988
New Member

Hello,

When Tried the above query, it is giving the error -

"Error in 'rex' command: Encountered the following error while compiling the regex 'nagios: HOST_PROBLEM: (?.): (?.): DOWN: (?.*)': Regex: unrecognized character after (? or (?-"

And

"The search job has failed due to an error. You may be able view the job in the Job Inspector."

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Your rex seems to be wrong. What you need to extract ? If you only host and hostname , you might not need that. If you need to extract something, post a sample event

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...