Getting Data In

Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

prtlin
Engager

In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:

| inputlookup dmc_forwarder_assets
| search status="missing" 
| rename hostname as Instance

I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?

Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?

Thanks

0 Karma

anshu
Path Finder

prtlin, I updated my answer to include a manual method for building the forwarder assets table. Were you able to get the lookup table populated?

0 Karma

ppablo
Retired

Hi @prtlin

What is the name of the pre-built alert you were referring to in your post? You said:

pre-built alert called ""

but I'm not sure if you accidentally deleted what was inside the double quotes when you originally posted your question.

0 Karma

prtlin
Engager

DMC Alert - Missing forwarders

anshu
Path Finder

There is a scheduled search called "DMC Forwarder - Build Asset Table" that populates that lookup table. You can manually build the forwarder assets table by going to the DMC App then the "Settings" > "Forwarder Monitoring Setup" page and clicking on the "Rebuild Forwarder Assets" button.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...