Getting Data In

How to check how long splunk uf agents are down on particular servers?

splunker969
Communicator

Hi ,

We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance 🙂

0 Karma

ddrillic
Ultra Champion

We use -

| inputlookup <lookup with host column>.csv 
| fields host 
| join type=left host 
    [| metadata type=hosts index=<index name>
    | eval host=lower(host) 
    | eval _time=recentTime 
    | sort host, _time 
    | stats latest(_time) as recentTime by host ] 
| eval LAST=strftime(recentTime,"%a %m/%d/%Y-%T %Z(%z)"), DAYS_AGO=round((recentTime-now())/86400,0)
0 Karma

somesoni2
Revered Legend

I would've suggested similar but they've restarted UF so logs would be coming through and that recentTime would be updated. They want to know for how long it was down.

0 Karma

ddrillic
Ultra Champion

oh oh oh - got it. Thank you @somesoni2.

0 Karma

somesoni2
Revered Legend

Assuming that you're using a deployment server to manage your UF configuration and you forwarder your deployment server's internal logs to your indexers, try like this (accuracy of the downtime will be +/- phonehome period for your UF, in last where clause, replace PutPhoneHomePeriodInSecsHere with your actual phone home interval).

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
| eval duration=abs(_time-prev_time) | stats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere

splunker969
Communicator

Hi somesoni2 ,

Thanks for the query. In above query How can i know from which time to when the splunk server is down for example 8/3/2018 7 am to 8/4/2018 6 am .. and .Down time in hours Please ?

Thanks,
splunker969

0 Karma

somesoni2
Revered Legend

Give this version a try

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval downtime=abs(_time-prev_time) | where downtime>PutPhoneHomePeriodInSecsHere
| eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+") | eval downtime_hours=round(downtime/3600)| eval downtime=tostring(downtime,"duration")
| table host DownFrom DownTo downtime downtime_hours
0 Karma

MonkeyK
Builder

kind of an old thread, but it seems to me that the streamstats needs a "by host" clause. Otherwise it will be comparing the last entry for one host with the first entry of another host

0 Karma

splunker969
Communicator

Hi somesoni2

This query is not working .

Thanks,
Splunker969

0 Karma

somesoni2
Revered Legend

Not getting any output OR not getting correct output?

0 Karma

splunker969
Communicator

Not getting any output

0 Karma

somesoni2
Revered Legend

How about this one?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval duration=abs(_time-prev_time) | eventstats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere AND downtime=duration | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
0 Karma

splunker969
Communicator

Hi somesoni2

This query is not working .Not getting any output

Thanks,
Splunker969

0 Karma

splunker969
Communicator

Need help on this question can anybody help me? Thanks in advance !

0 Karma

somesoni2
Revered Legend

Does this yield in something?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
  | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
  | eval duration=abs(_time-prev_time) | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
0 Karma

splunker969
Communicator

Hi Somesoni2 ,

This search gives results .In DownFROM is august 13 DownTo is august12. Which is I changed as below .Please Correct query if anything not correct .Thanks In advance 🙂

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | eval DownTo=strftime(prev_time,"%+") | eval DownFrom=strftime(_time,"%+") |dedup host

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Have you replaced PutPhoneHomePeriodInSecsHere with your phone home interval?

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Tech Talk | Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

Tech Talk | 3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk &#43; Cisco joined the global celebration of CX Day - celebrating our ...