Distributed Management Console: How to monitor and...

prtlin · ‎02-02-2016

In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:

| inputlookup dmc_forwarder_assets
| search status="missing" 
| rename hostname as Instance

I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?

Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?

Thanks

anshu · ‎02-11-2016

prtlin, I updated my answer to include a manual method for building the forwarder assets table. Were you able to get the lookup table populated?

ppablo · ‎02-02-2016

Hi @prtlin

What is the name of the pre-built alert you were referring to in your post? You said:

pre-built alert called ""

but I'm not sure if you accidentally deleted what was inside the double quotes when you originally posted your question.

prtlin · ‎02-03-2016

DMC Alert - Missing forwarders

anshu · ‎02-02-2016

There is a scheduled search called "DMC Forwarder - Build Asset Table" that populates that lookup table. You can manually build the forwarder assets table by going to the DMC App then the "Settings" > "Forwarder Monitoring Setup" page and clicking on the "Rebuild Forwarder Assets" button.

Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms