Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

prtlin
Engager
‎02-02-2016 06:35 AM

In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:

| inputlookup dmc_forwarder_assets
| search status="missing" 
| rename hostname as Instance

I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?

Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?

Thanks

0 Karma
Reply

anshu
Path Finder
‎02-11-2016 09:56 AM

prtlin, I updated my answer to include a manual method for building the forwarder assets table. Were you able to get the lookup table populated?

0 Karma
Reply

ppablo
Retired
‎02-02-2016 03:20 PM

Hi @prtlin

What is the name of the pre-built alert you were referring to in your post? You said:

pre-built alert called ""

but I'm not sure if you accidentally deleted what was inside the double quotes when you originally posted your question.

0 Karma
Reply

prtlin
Engager
‎02-03-2016 06:15 AM

DMC Alert - Missing forwarders

Reply

anshu
Path Finder
‎02-02-2016 10:19 AM

There is a scheduled search called "DMC Forwarder - Build Asset Table" that populates that lookup table. You can manually build the forwarder assets table by going to the DMC App then the "Settings" > "Forwarder Monitoring Setup" page and clicking on the "Rebuild Forwarder Assets" button.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...