Deployment Architecture

Any Ideas--Ensure metadata, tstats, lookups, and deployment server are in sync

Path Finder

Hey all,

We have hit-and-miss identification of servers that fall off of Splunk monitoring. There needs to be a critical alert if a non-decommissioned server:

1.Stops reporting to Splunk, or
2.Stops phoning home to the deployment server

Is there a weay to query the rest api from the search head to determind Deployment server contact?

Any help is much apprreciated..

Tags (1)
0 Karma


If your deployment server is forwarding its internal logs to your indexing layer, you should be able to use a query like:

index=_internal host="Your_deployment_server_hostname" "/services/broker/phonehome/"
| stats max(_time) AS last_checkin_epoch by clientip
| eval now_epoch=now()
| eval time_since_last_checkin=now_epoch-last_checkin_epoch
| sort - time_since_last_checkin


State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!