Deployment Architecture

How to create a dashboard for server status i.e. whether it is up or not?

vaibhavvijay9
New Member

Hi Team,

I want to create a dashboard which shows the current status of the servers i.e. whether the server is running or not.

I am using Splunk Enterprise (on cloud) with limited functionalities added to my role. And hence, I cannot install the add-on. But,
just to add to my knowledge I want to know the available add-on names.

So, please help me with the search string or any brief idea to achieve this using Search and Reporting App.

Thanks in advance!

Regards,
Vaibhav Vijay

0 Karma

dmarling
Builder

It depends on what you are monitoring, if it's just the operating system being up/down I have an example I can give you that I use to monitor our Linux servers OS status:

index=linux ("Startup finished" OR "shutting down for system halt" OR "shutting down for system reboot" OR "systemd-shutdownd: Shutting down" OR "Starting * about System Reboot/Shutdown" OR ("kernel time sync status"))
| eval Status=case(match(_raw,"Startup finished") OR  match(_raw, "kernel time sync status"),"Up",NOT match(_raw,"Startup finished") AND NOT match(_raw, "kernel time sync status"), "DOWN!") 
| stats max(_time) as _time latest(Status) as Status by host
| table _time host Status

If you are monitoring if an application is running or not that would be a different query. The basic principles is that you need to identify the specific logs for what you want to monitor that tell that it's down and then a log that tells you when it's back up. If you have that, you then can use the above query, but pointed at the events that you need. Without you providing me scrubbed of anything sensitive examples of those events, I cannot really help much more than at a conceptual level.

If this comment/answer was helpful, please up vote it. Thank you.

vaibhavvijay9
New Member

Thanks @dmarling, I will try the provided search. Yes, I want to monitor the application hosted on these servers as well. On Monday, once I go back to office I will work on it. In case of any doubt, I will come again and this time I will come with an initial search string. Thanks again!

0 Karma

dmarling
Builder

Is the goal to have a dashboard that shows the last status reported by a server? If so, you'll need to use a lookup table as your stateful table and craft a scheduled query that updates that table with the most recently reported status of the server. If you give some more details as to the type of queries you are using to identify server state I can at least give you some ideas on how to accomplish that.

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

vaibhavvijay9
New Member

Hi @dmarling, Yes.
And regarding search, I am not clear like, should I use index="os", or index="cpu".
I have 6 servers, whose logs are available in Splunk. So, for example host ="srpzzapp0232" that will be used. Request you to provide a search on which I try.
Further, if you have any doubts, please ask.
Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...