All Apps and Add-ons

No hostname list in Splunk for Nagios

Fcor
New Member

Hi,

I've installed a forwarder on my nagios machine and it send the log to my main splunk server.

My "nagios" index is good as i can earch in it and got my info.

But my problem is that chen i go to the "Alert Dashboard" my hostname list is empty.

So i look at the plugin objects and i can't fnd any Extract - hostname or something like that.

Nagios 3.2.1 and splunk 4.2.4.

Thanks.

For example i got thoses lines from the nagios index it seems quite normal :

12/5/11
5:57:29.000 PM

1323104249 SERVER01 MEMOIRE OK 1 HARD 0.259 0.174 OK: physical memory: 4.18G physical memory %=26%;80;90 physical memory=4281.14MB;814.90;2452.77;0;16378.63
host=BALLPSUP002.loglibris.grp-martiniere.fr Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata.out Options
4

12/5/11
5:57:28.000 PM

1323104248 SERVER002 SSH OK 1 HARD 0.016 0.161 TCP OK - 0,000 second response time on port 22 time=0,000442s;;;0,000000;10,000000
host=BALLPSUP002.loglibris.grp-martiniere.fr Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata.out Options

Tags (3)
0 Karma

Fcor
New Member

Hi,

Thanks, it seems that i miss a point in the command line.

But when i try :

earliest=-24h index="nagios" nagiosevent="CURRENT HOST STATE" | rex ".+CURRENT HOST STATE: (?P[^;]*)(?=;)"| stats count by device

I got no elements but when i search :

earliest=-24h index="nagios" nagiosevent="SERVICE ALERT" | rex ".+SERVICE ALERT: (?P[^;]*)(?=;)"| stats count by device

I got the device list.

In fact when i search :

earliest=-24h index="nagios" sourcetype=nagios

I got a lot of information but in the "nagiosevent" i just got 4 elements :

SERVICE ALERT

SERVICE NOTIFICATION

GLOBAL SERVICE EVENT HANDLER

SERVICE EVENT HANDLER

But if i read you well i should have "CURRENT HOST STATE" at midnight ?

An example of what i got now :

1323164934 src_host="SERVER001" perfdata="SERVICEPERFDATA" name="FTP" severity="OK" attempt="1" statetype="HARD" executiontime="0.016" latency="0.216" reason="FTP OK - 0,005 second response time on port 21 [220 Welcome to FTP service.]" result="time=0,004622s;;;0,000000;10,000000"
host=SERVER003 Options| sourcetype=nagiosserviceperf Options| source=/srv/eyesofnetwork/nagios/var/log/service-perfdata Options| src_host=BALWPDMZ001 Options
2

12/6/11
10:48:54.000 AM
1323164934 src_host="SERVER002" perfdata="SERVICEPERFDATA" name="SERVICE_BACKUPEXEC_AGENT" severity="OK" attempt="1" statetype="HARD" executiontime="0.275" latency="0.187" reason="OK: Backup Exec Agent Br

0 Karma

lukeh
Contributor

Hi 🙂

The hostname list in the Alerts Dashboard is populated by the following splunk search:

earliest=-24h index="nagios" nagiosevent="CURRENT HOST STATE" | rex ".+CURRENT HOST STATE\: (?P<device>[^;]*)(?=;)"| stats count by device

Could you please run that search and check if you have a list of devices (aka hostnames).

If the above search does not return any results, please run the following search to confirm that your nagios.log file is being indexed by splunk with the correct sourcetype:

earliest=-24h index="nagios" sourcetype=nagios

Note: the nagios log contains events labelled "CURRENT HOST STATE" which are generated by default by Nagios at midnight every day.

I also noticed that you have not changed the template in your nagios installation for the performance data, ie. the sample log data you included does not contain key=value pairs that Splunk for Nagios is expecting.

Please follow the instructions entitled "Nagios Configuration (REQUIRED)" to fix the log format of the performance data:

http://splunk-base.splunk.com/apps/22374/splunk-for-nagios

Note: if you are using pnp4nagios or similar to generate rrd graphs then changing the log format of the performance data as above may break your rrd graphs. I am currently testing a methodology to create a new sourcetype so that both pnp4nagios and Splunk for Nagios can be used at the same time. Watch this space 🙂

All the best,

Luke 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...