Archive

Shedule report: Server stopped sending data

dkeck
Influencer

Hi,

I read some answers here, but I just can´t make it work.

I have a query searching for hosts and the last time they connected to splunk. This part is working fine.

index=_internal source"*metrics.log" group=tcpout_connections NOT host=xyz | eval lastConnected=max(_time) | eval lastConnected=strftime(_time , "%m.%d.%y %H:%M:%S") | stats latest(lastConnected) by host

So now I want every host which is not sending data/ not connecting to splunk, along with the time it stopped sending. This should be done for 1 week, as a sheduled report.

Help is highly appreciated.

Thank you

Tags (1)
0 Karma
1 Solution

inventsekar
Super Champion

as per splunk wiki, this query i have tested and it works fine.

index=_internal "group=tcpin_connections" | stats max(_time) as latest by sourceHost | eventstats max(latest) as latest_all | eval lag = latest_all - latest | where lag > 604800 | fields sourceHost lag 

10080 mins = 60 mins* 24hrs *7days

and for converting the time format, we can add one strftime -

index=_internal group=tcpin_connections | stats max(_time) as latest by sourceHost | eventstats max(latest) as latest_all | eval lag = latest_all - latest | where lag > 10080 |  eval lastConnected=strftime(latest, "%m.%d.%y %H:%M:%S") | table latest, lastConnected, sourceHost 

https://wiki.splunk.com/Community:HowToFindLostForwarders

View solution in original post

0 Karma

inventsekar
Super Champion

as per splunk wiki, this query i have tested and it works fine.

index=_internal "group=tcpin_connections" | stats max(_time) as latest by sourceHost | eventstats max(latest) as latest_all | eval lag = latest_all - latest | where lag > 604800 | fields sourceHost lag 

10080 mins = 60 mins* 24hrs *7days

and for converting the time format, we can add one strftime -

index=_internal group=tcpin_connections | stats max(_time) as latest by sourceHost | eventstats max(latest) as latest_all | eval lag = latest_all - latest | where lag > 10080 |  eval lastConnected=strftime(latest, "%m.%d.%y %H:%M:%S") | table latest, lastConnected, sourceHost 

https://wiki.splunk.com/Community:HowToFindLostForwarders

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!