Hi ,
We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance 🙂
We use -
| inputlookup <lookup with host column>.csv
| fields host
| join type=left host
[| metadata type=hosts index=<index name>
| eval host=lower(host)
| eval _time=recentTime
| sort host, _time
| stats latest(_time) as recentTime by host ]
| eval LAST=strftime(recentTime,"%a %m/%d/%Y-%T %Z(%z)"), DAYS_AGO=round((recentTime-now())/86400,0)
I would've suggested similar but they've restarted UF so logs would be coming through and that recentTime would be updated. They want to know for how long it was down.
oh oh oh - got it. Thank you @somesoni2.
Assuming that you're using a deployment server to manage your UF configuration and you forwarder your deployment server's internal logs to your indexers, try like this (accuracy of the downtime will be +/- phonehome period for your UF, in last where clause, replace PutPhoneHomePeriodInSecsHere with your actual phone home interval).
index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | stats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere
Hi somesoni2 ,
Thanks for the query. In above query How can i know from which time to when the splunk server is down for example 8/3/2018 7 am to 8/4/2018 6 am .. and .Down time in hours Please ?
Thanks,
splunker969
Give this version a try
index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval downtime=abs(_time-prev_time) | where downtime>PutPhoneHomePeriodInSecsHere
| eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+") | eval downtime_hours=round(downtime/3600)| eval downtime=tostring(downtime,"duration")
| table host DownFrom DownTo downtime downtime_hours
kind of an old thread, but it seems to me that the streamstats needs a "by host" clause. Otherwise it will be comparing the last entry for one host with the first entry of another host
Hi somesoni2
This query is not working .
Thanks,
Splunker969
Not getting any output OR not getting correct output?
Not getting any output
How about this one?
index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | eventstats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere AND downtime=duration | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
Hi somesoni2
This query is not working .Not getting any output
Thanks,
Splunker969
Need help on this question can anybody help me? Thanks in advance !
Does this yield in something?
index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
Hi Somesoni2 ,
This search gives results .In DownFROM is august 13 DownTo is august12. Which is I changed as below .Please Correct query if anything not correct .Thanks In advance 🙂
index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | eval DownTo=strftime(prev_time,"%+") | eval DownFrom=strftime(_time,"%+") |dedup host
Have you replaced PutPhoneHomePeriodInSecsHere with your phone home interval?