If my Splunk is installed on an server & the server is down how will i tackle this problem in real time.
Any help is Appreciated,
can you be a little bit more detailed, please? which server are you using? when is the server going down? What does mean the server is going down?
I meant,my Splunk is installed on IIS Server is there a way by using Alerting/monitoring that i can get to know the server is down such as can it send any message before it is down.
you have installed a Splunk Forwarder on your IIS Server and you're collecting from IIS Logs. And you want to detect in advance in case your ISS is going down or stops to work based on the machine data.
so there are different ways and that is a learning curve in your environment. potentially you have for this already historical record of data.
First: Collect all the data
Secondly: Investigate and review
--> That is what you're asking. Review the activity from the last outages and see what was in the log. is there something which indicates this outage? Maybe different error messages?
from their you can start then to create reports + alerts. so in case similar error messages or behavior occurs (more/less events, streamstats, stats, eval statements!) you want to get a notification.
however - IIS does not crash because there is the default default website of microsoft. IIS crashes because the application or website on it has some issues - so that is the good way why with splunk you're flexible to create such a monitoring instead as no vendor will now your IIS application 😉
It depends. Obviously no data will be indexed while the server is down. Splunk Universal Forwarders can buffer events for a time until the server is back up. Other applications that send events to Splunk may or may not buffer events. Some Splunk apps (like DB Connect) should pick up where they left off, however others may not.