Getting Data In
Highlighted

Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Engager

In the Distributed Management Console, there is a pre-built alert called "DMC Alert - Missing forwarders", and inside the alert is the search string:

| inputlookup dmc_forwarder_assets
| search status="missing" 
| rename hostname as Instance

I actually looked inside of the lookup table and it is empty. Does anyone know how Splunk populates this lookup table?

Or does anyone have a better solution using some other tools to send alerts/reports once there has been more than 24 hours since the forwarder last contacted/phoned home with Splunk?

Thanks

0 Karma
Highlighted

Re: Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Path Finder

There is a scheduled search called "DMC Forwarder - Build Asset Table" that populates that lookup table. You can manually build the forwarder assets table by going to the DMC App then the "Settings" > "Forwarder Monitoring Setup" page and clicking on the "Rebuild Forwarder Assets" button.

0 Karma
Highlighted

Re: Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Community Manager
Community Manager

Hi @prtlin

What is the name of the pre-built alert you were referring to in your post? You said:

pre-built alert called ""

but I'm not sure if you accidentally deleted what was inside the double quotes when you originally posted your question.

0 Karma
Highlighted

Re: Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Engager

DMC Alert - Missing forwarders

Highlighted

Re: Distributed Management Console: How to monitor and alert if forwarders have not phoned home over 24 hours?

Path Finder

prtlin, I updated my answer to include a manual method for building the forwarder assets table. Were you able to get the lookup table populated?

0 Karma