Deployment Architecture

If my time last_connected (time) is more than 2 days ago, then...

Robbie1194
Communicator

Hi guys,

I'm trying to make a search that will tell me if a forwarder last connected (sent it's heartbeat) more than a day or two ago.

I was planning on doing it through the dmc_forwarder_assets lookup file like:

| inputlookup dmc_forwarder_assets
"if last_connected (1499770914.669) is more than 2 days ago, show results"

Does anyone know the syntax for this?

Cheers!

0 Karma
1 Solution

niketn
Legend

You can run the following REST command to find out lastPhoneHomeTime (in seconds) for various Deployment Clients forwarding data to Splunk Server.

| REST /services/deployment/server/clients
| eval difInSec=now()-lastPhoneHomeTime
| search difInSec>172800
| table name, ip, diffInSec, lastPhoneHomeTime

PS: 172800 sec = 2 * 24 * 60 * 60
You can display other fields that are important from those listed in the documentation below.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

prerana_jain
Explorer

I need to get an alert when the specific search between two is more than 10 min.

Example: "Acquired" is generating for every 1 minute. But i should get alert if the search "Acquired" takes more than 10 min

0 Karma

prerana_jain
Explorer

I want to write command if the specific search(Ex:Acquired) is generating for every minute. But if it did not appear for more than 10 min. Then i have to get alert

0 Karma

sbbadri
Motivator

Try below using dmc assets lookup,

| inputlookup dmc_forwarder_assets| fields hostname os arch forwarder_type version last_connected status
| rename hostname as Instance | eval now=now() | eval Duration_Not_Connected=now-last_connected | where Duration_Not_Connected<=2592000 | fields - last_connected now | sort Duration_Not_Connected | eval Duration_Not_Connected_Days = round(Duration_Not_Connected/86400,0)

0 Karma

niketn
Legend

You can run the following REST command to find out lastPhoneHomeTime (in seconds) for various Deployment Clients forwarding data to Splunk Server.

| REST /services/deployment/server/clients
| eval difInSec=now()-lastPhoneHomeTime
| search difInSec>172800
| table name, ip, diffInSec, lastPhoneHomeTime

PS: 172800 sec = 2 * 24 * 60 * 60
You can display other fields that are important from those listed in the documentation below.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

dineshraj9
Builder

You can use metadata query and get the information -

| metadata type=hosts | eval diff=now()-lastTime | where diff > 3600*24 | convert ctime(lastTime) as last_connected | eval not_reported_since=strftime(diff,"%T") | table host last_connected not_reported_since
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...