I want to create a dashboard which shows the current status of the servers i.e. whether the server is running or not.
I am using Splunk Enterprise (on cloud) with limited functionalities added to my role. And hence, I cannot install the add-on. But,
just to add to my knowledge I want to know the available add-on names.
So, please help me with the search string or any brief idea to achieve this using Search and Reporting App.
Thanks in advance!
Is the goal to have a dashboard that shows the last status reported by a server? If so, you'll need to use a lookup table as your stateful table and craft a scheduled query that updates that table with the most recently reported status of the server. If you give some more details as to the type of queries you are using to identify server state I can at least give you some ideas on how to accomplish that.
Hi @dmarling, Yes.
And regarding search, I am not clear like, should I use index="os", or index="cpu".
I have 6 servers, whose logs are available in Splunk. So, for example host ="srpzzapp0232" that will be used. Request you to provide a search on which I try.
Further, if you have any doubts, please ask.
It depends on what you are monitoring, if it's just the operating system being up/down I have an example I can give you that I use to monitor our Linux servers OS status:
index=linux ("Startup finished" OR "shutting down for system halt" OR "shutting down for system reboot" OR "systemd-shutdownd: Shutting down" OR "Starting * about System Reboot/Shutdown" OR ("kernel time sync status")) | eval Status=case(match(_raw,"Startup finished") OR match(_raw, "kernel time sync status"),"Up",NOT match(_raw,"Startup finished") AND NOT match(_raw, "kernel time sync status"), "DOWN!") | stats max(_time) as _time latest(Status) as Status by host | table _time host Status
If you are monitoring if an application is running or not that would be a different query. The basic principles is that you need to identify the specific logs for what you want to monitor that tell that it's down and then a log that tells you when it's back up. If you have that, you then can use the above query, but pointed at the events that you need. Without you providing me scrubbed of anything sensitive examples of those events, I cannot really help much more than at a conceptual level.
Thanks @dmarling, I will try the provided search. Yes, I want to monitor the application hosted on these servers as well. On Monday, once I go back to office I will work on it. In case of any doubt, I will come again and this time I will come with an initial search string. Thanks again!