Deployment Architecture

If my time last_connected (time) is more than 2 days ago, then...

Communicator

Hi guys,

I'm trying to make a search that will tell me if a forwarder last connected (sent it's heartbeat) more than a day or two ago.

I was planning on doing it through the dmcforwarderassets lookup file like:

| inputlookup dmcforwarderassets
"if last_connected (1499770914.669) is more than 2 days ago, show results"

Does anyone know the syntax for this?

Cheers!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You can run the following REST command to find out lastPhoneHomeTime (in seconds) for various Deployment Clients forwarding data to Splunk Server.

| REST /services/deployment/server/clients
| eval difInSec=now()-lastPhoneHomeTime
| search difInSec>172800
| table name, ip, diffInSec, lastPhoneHomeTime

PS: 172800 sec = 2 * 24 * 60 * 60
You can display other fields that are important from those listed in the documentation below.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Explorer

I need to get an alert when the specific search between two is more than 10 min.

Example: "Acquired" is generating for every 1 minute. But i should get alert if the search "Acquired" takes more than 10 min

0 Karma

Explorer

I want to write command if the specific search(Ex:Acquired) is generating for every minute. But if it did not appear for more than 10 min. Then i have to get alert

0 Karma

Motivator

Try below using dmc assets lookup,

| inputlookup dmcforwarderassets| fields hostname os arch forwardertype version lastconnected status
| rename hostname as Instance | eval now=now() | eval DurationNotConnected=now-lastconnected | where DurationNotConnected<=2592000 | fields - lastconnected now | sort DurationNotConnected | eval DurationNotConnectedDays = round(DurationNot_Connected/86400,0)

0 Karma

SplunkTrust
SplunkTrust

You can run the following REST command to find out lastPhoneHomeTime (in seconds) for various Deployment Clients forwarding data to Splunk Server.

| REST /services/deployment/server/clients
| eval difInSec=now()-lastPhoneHomeTime
| search difInSec>172800
| table name, ip, diffInSec, lastPhoneHomeTime

PS: 172800 sec = 2 * 24 * 60 * 60
You can display other fields that are important from those listed in the documentation below.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

Builder

You can use metadata query and get the information -

| metadata type=hosts | eval diff=now()-lastTime | where diff > 3600*24 | convert ctime(lastTime) as last_connected | eval not_reported_since=strftime(diff,"%T") | table host last_connected not_reported_since
0 Karma