Getting Data In

How to check how long splunk uf agents are down on particular servers?

splunker969
Communicator

Hi ,

We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance 🙂

0 Karma

ddrillic
Ultra Champion

We use -

| inputlookup <lookup with host column>.csv 
| fields host 
| join type=left host 
    [| metadata type=hosts index=<index name>
    | eval host=lower(host) 
    | eval _time=recentTime 
    | sort host, _time 
    | stats latest(_time) as recentTime by host ] 
| eval LAST=strftime(recentTime,"%a %m/%d/%Y-%T %Z(%z)"), DAYS_AGO=round((recentTime-now())/86400,0)
0 Karma

somesoni2
Revered Legend

I would've suggested similar but they've restarted UF so logs would be coming through and that recentTime would be updated. They want to know for how long it was down.

0 Karma

ddrillic
Ultra Champion

oh oh oh - got it. Thank you @somesoni2.

0 Karma

somesoni2
Revered Legend

Assuming that you're using a deployment server to manage your UF configuration and you forwarder your deployment server's internal logs to your indexers, try like this (accuracy of the downtime will be +/- phonehome period for your UF, in last where clause, replace PutPhoneHomePeriodInSecsHere with your actual phone home interval).

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
| eval duration=abs(_time-prev_time) | stats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere

splunker969
Communicator

Hi somesoni2 ,

Thanks for the query. In above query How can i know from which time to when the splunk server is down for example 8/3/2018 7 am to 8/4/2018 6 am .. and .Down time in hours Please ?

Thanks,
splunker969

0 Karma

somesoni2
Revered Legend

Give this version a try

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval downtime=abs(_time-prev_time) | where downtime>PutPhoneHomePeriodInSecsHere
| eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+") | eval downtime_hours=round(downtime/3600)| eval downtime=tostring(downtime,"duration")
| table host DownFrom DownTo downtime downtime_hours
0 Karma

MonkeyK
Builder

kind of an old thread, but it seems to me that the streamstats needs a "by host" clause. Otherwise it will be comparing the last entry for one host with the first entry of another host

0 Karma

splunker969
Communicator

Hi somesoni2

This query is not working .

Thanks,
Splunker969

0 Karma

somesoni2
Revered Legend

Not getting any output OR not getting correct output?

0 Karma

splunker969
Communicator

Not getting any output

0 Karma

somesoni2
Revered Legend

How about this one?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval duration=abs(_time-prev_time) | eventstats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere AND downtime=duration | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
0 Karma

splunker969
Communicator

Hi somesoni2

This query is not working .Not getting any output

Thanks,
Splunker969

0 Karma

splunker969
Communicator

Need help on this question can anybody help me? Thanks in advance !

0 Karma

somesoni2
Revered Legend

Does this yield in something?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
  | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
  | eval duration=abs(_time-prev_time) | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
0 Karma

splunker969
Communicator

Hi Somesoni2 ,

This search gives results .In DownFROM is august 13 DownTo is august12. Which is I changed as below .Please Correct query if anything not correct .Thanks In advance 🙂

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | eval DownTo=strftime(prev_time,"%+") | eval DownFrom=strftime(_time,"%+") |dedup host

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Have you replaced PutPhoneHomePeriodInSecsHere with your phone home interval?

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...