I didn't change anything on the lookup which you have given. I am just simply using that. Still one of forwarder is down, I am not getting that host name in result.
If I remove where Total=0 from search, I can see all other hosts but not the one which is down.
removing Total=0 you can see all Forwarders and if you see other forwarders this means that search is running.
But the problem is probably on lookup:
check the column name anche check if the missed forwarder is in lookup.
Column names are looking good. If I search with Total >0 then I can see all the hosts but not that one forwarder which is down.
Just ran only initial part of the query. Even in this am not having that host in this list.
| metasearch index=_internal | eval host=upper(host) | stats count by host
I think we cannot achieve the requirement using this lookup or else I have to put the lookup for every host.
the problem isn't in the main search, the problem is surely in the subsearch: if you run only the subsearch (
| inputlookup Perimeter.csv | eval count=0 | eval host=upper(host) | fields host count), is there the missed host?
Probably there isn't
the result of the previous search should be:
For this reason I said to you to verify the lookup column name (if it's different from "host", must be renamed) and the missed host name.
The sense of the above search is to take the forwarders logs and add to them the lookups host with count=0, so if there aren't results in the search, everyway there is a record with hostname and count=0.
I understand that but when we search for forwarder logs to fetch the host list but in this case the host which is down already won't be in the host list.
Please correct me If I am wrong. Thanks for your help!
In the Perimeter.csv lookup you must put the monitored host list (your monitoring perimeter) to say to Splunk which are the hosts to check.
You can manage this list manually (using Lookup Editor App) or using a scheduled search.
In this second case, you have to schedule to run every night a search like this:
| metasearch index=_internal earliest=-30d latest=now | fields host | outputlookup Perimeter.csv
I prefer to manually manage this lookup to avoid false positive cases.
I have installed lookup editor app and created a sheet with only 4 hosts.
Now I am getting the host which are having Total =0. But however If I check for >0 then am getting all of my hosts not only the ones which are only in input lookup file.
csv file has 2 below columns. am keeping the Total column blank and host column contains host names.
Thanks a lot for your help!
in your lookup you have to insert all hosts you want to monitor, both the ones you're receiving logs and the missed ones, as you said above you should have around 30 hosts.
If you add one forwarder to you network, you have to add it to the lookup list.
In this way you're sure to monitor all hosts of your lookup and you're sure to have in your search result also the missed hosts.
You can use Splunk's Monitoring Console to monitor deployment status.
It internally uses following REST command which you can run in Splunk search
| rest splunk_server=local /services/deployment/server/clients
This will give you lastPhonedHome time for each deployment client pinging Splunk Deployment Server.