Getting Data In

How to check how long splunk uf agents are down on particular servers?

splunker969
Communicator

Hi ,

We had list of servers a,b,c,d,e,f. How can we check how long splunk uf agents are down on the servers a,b,c,d,e,f? At present we restarted uf agents. I am looking for a query. Any help would be great. Thanks in advance 🙂

0 Karma

ddrillic
Ultra Champion

We use -

| inputlookup <lookup with host column>.csv 
| fields host 
| join type=left host 
    [| metadata type=hosts index=<index name>
    | eval host=lower(host) 
    | eval _time=recentTime 
    | sort host, _time 
    | stats latest(_time) as recentTime by host ] 
| eval LAST=strftime(recentTime,"%a %m/%d/%Y-%T %Z(%z)"), DAYS_AGO=round((recentTime-now())/86400,0)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would've suggested similar but they've restarted UF so logs would be coming through and that recentTime would be updated. They want to know for how long it was down.

0 Karma

ddrillic
Ultra Champion

oh oh oh - got it. Thank you @somesoni2.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Assuming that you're using a deployment server to manage your UF configuration and you forwarder your deployment server's internal logs to your indexers, try like this (accuracy of the downtime will be +/- phonehome period for your UF, in last where clause, replace PutPhoneHomePeriodInSecsHere with your actual phone home interval).

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
| eval duration=abs(_time-prev_time) | stats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere

splunker969
Communicator

Hi somesoni2 ,

Thanks for the query. In above query How can i know from which time to when the splunk server is down for example 8/3/2018 7 am to 8/4/2018 6 am .. and .Down time in hours Please ?

Thanks,
splunker969

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this version a try

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval downtime=abs(_time-prev_time) | where downtime>PutPhoneHomePeriodInSecsHere
| eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+") | eval downtime_hours=round(downtime/3600)| eval downtime=tostring(downtime,"duration")
| table host DownFrom DownTo downtime downtime_hours
0 Karma

MonkeyK
Builder

kind of an old thread, but it seems to me that the streamstats needs a "by host" clause. Otherwise it will be comparing the last entry for one host with the first entry of another host

0 Karma

splunker969
Communicator

Hi somesoni2

This query is not working .

Thanks,
Splunker969

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Not getting any output OR not getting correct output?

0 Karma

splunker969
Communicator

Not getting any output

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How about this one?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
 | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
 | eval duration=abs(_time-prev_time) | eventstats max(duration) as downtime by host | where downtime>PutPhoneHomePeriodInSecsHere AND downtime=duration | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
0 Karma

splunker969
Communicator

Hi somesoni2

This query is not working .Not getting any output

Thanks,
Splunker969

0 Karma

splunker969
Communicator

Need help on this question can anybody help me? Thanks in advance !

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Does this yield in something?

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
  | table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time 
  | eval duration=abs(_time-prev_time) | eval DownFrom=strftime(prev_time,"%+") | eval DownTo=strftime(_time,"%+")
0 Karma

splunker969
Communicator

Hi Somesoni2 ,

This search gives results .In DownFROM is august 13 DownTo is august12. Which is I changed as below .Please Correct query if anything not correct .Thanks In advance 🙂

index=_internal host=a OR host=b OR host=..all other hosts.. component=HttpPubSubConnection Running phone
| table _time host | sort 0 host _time | streamstats current=f window=1 values(_time) as prev_time
| eval duration=abs(_time-prev_time) | eval DownTo=strftime(prev_time,"%+") | eval DownFrom=strftime(_time,"%+") |dedup host

0 Karma

thambisetty
SplunkTrust
SplunkTrust

Have you replaced PutPhoneHomePeriodInSecsHere with your phone home interval?

————————————
If this helps, give a like below.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...