Distributed Management Console: How to monitor and...

prtlin · ‎02-02-2016

In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:

| inputlookup dmc_forwarder_assets
| search status="missing" 
| rename hostname as Instance

I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?

Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?

Thanks

anshu · ‎02-11-2016

prtlin, I updated my answer to include a manual method for building the forwarder assets table. Were you able to get the lookup table populated?

ppablo · ‎02-02-2016

Hi @prtlin

What is the name of the pre-built alert you were referring to in your post? You said:

pre-built alert called ""

but I'm not sure if you accidentally deleted what was inside the double quotes when you originally posted your question.

prtlin · ‎02-03-2016

DMC Alert - Missing forwarders

anshu · ‎02-02-2016

There is a scheduled search called "DMC Forwarder - Build Asset Table" that populates that lookup table. You can manually build the forwarder assets table by going to the DMC App then the "Settings" > "Forwarder Monitoring Setup" page and clicking on the "Rebuild Forwarder Assets" button.

Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?