Deployment Architecture

Why is the metadata type=hosts command for *nix search heads showing incorrect lastTime and recentTime?

hlarimer
Communicator

I am using the metadata type=host command to alert me when a forwarder goes down and am now wanting to extend it to search heads. The command works great for *nix forwarders but for *nix search heads it is showing me that 2/3 SH heads haven't reported in 82 days. These are both up and forwarding their _internal logs to the indexers.

Any ideas why this is reporting incorrectly?

Tags (3)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'd recommend switching to tstats for this kind of reporting, it'll still be blazingly fast and much more flexible. For example:

| tstats latest(_time) where index=_internal by host

That'll give you the latest timestamp for each host in the _internal index. If there's an event sent by those SHs later than that 82 days ago it'll find it.

As for actually monitoring your deployment, take a look at the new distributed monitoring console that was just released together with 6.2 - awesome stuff.

View solution in original post