Deployment Architecture

If my time last_connected (time) is more than 2 days ago, then...

Robbie1194
Communicator

Hi guys,

I'm trying to make a search that will tell me if a forwarder last connected (sent it's heartbeat) more than a day or two ago.

I was planning on doing it through the dmc_forwarder_assets lookup file like:

| inputlookup dmc_forwarder_assets
"if last_connected (1499770914.669) is more than 2 days ago, show results"

Does anyone know the syntax for this?

Cheers!

0 Karma
1 Solution

niketnilay
Legend

You can run the following REST command to find out lastPhoneHomeTime (in seconds) for various Deployment Clients forwarding data to Splunk Server.

| REST /services/deployment/server/clients
| eval difInSec=now()-lastPhoneHomeTime
| search difInSec>172800
| table name, ip, diffInSec, lastPhoneHomeTime

PS: 172800 sec = 2 * 24 * 60 * 60
You can display other fields that are important from those listed in the documentation below.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

prerana_jain
Explorer

I need to get an alert when the specific search between two is more than 10 min.

Example: "Acquired" is generating for every 1 minute. But i should get alert if the search "Acquired" takes more than 10 min

0 Karma

prerana_jain
Explorer

I want to write command if the specific search(Ex:Acquired) is generating for every minute. But if it did not appear for more than 10 min. Then i have to get alert

0 Karma

sbbadri
Motivator

Try below using dmc assets lookup,

| inputlookup dmc_forwarder_assets| fields hostname os arch forwarder_type version last_connected status
| rename hostname as Instance | eval now=now() | eval Duration_Not_Connected=now-last_connected | where Duration_Not_Connected<=2592000 | fields - last_connected now | sort Duration_Not_Connected | eval Duration_Not_Connected_Days = round(Duration_Not_Connected/86400,0)

0 Karma

niketnilay
Legend

You can run the following REST command to find out lastPhoneHomeTime (in seconds) for various Deployment Clients forwarding data to Splunk Server.

| REST /services/deployment/server/clients
| eval difInSec=now()-lastPhoneHomeTime
| search difInSec>172800
| table name, ip, diffInSec, lastPhoneHomeTime

PS: 172800 sec = 2 * 24 * 60 * 60
You can display other fields that are important from those listed in the documentation below.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

dineshraj9
Builder

You can use metadata query and get the information -

| metadata type=hosts | eval diff=now()-lastTime | where diff > 3600*24 | convert ctime(lastTime) as last_connected | eval not_reported_since=strftime(diff,"%T") | table host last_connected not_reported_since
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.