Getting Data In

How to count number of instances when a forwarder is down?

rongruspe
New Member

I have a forwarder that forwards data every 60 seconds.

I would like to know the count when the forwarder is down (means there's no network and/or the machine is off/no power)

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | bucket _time span=1m | stats count by _time | where count = 0 | stats sum(count) AS NumMinutesWithNoData

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

... | bucket _time span=1m | stats count by _time | where count = 0 | stats sum(count) AS NumMinutesWithNoData
0 Karma

rongruspe
New Member

I tried it and find by host, but id didn't work

host="host_name" | bucket _time span=1m| stats count by _time | where count = 0 | stats sum(count) AS NumMinutesWithNoData

Also tried asterisk, but to no avail...

* | bucket _time span=1m| stats count by _time | where count = 0 | stats sum(count) AS NumMinutesWithNoData

Is there something I missed?

0 Karma

woodcock
Esteemed Legend

No, there is something I missed, which is that stats does not pass along empty buckets but timechart does, so try this:

host="host_name" | timechart span=1m count | where count = 0 | stats sum(count) AS NumMinutesWithNoData
0 Karma

rongruspe
New Member

Unfortunately, it's still not returning anything. I even deleted "where count=0" to count those that are able to send, but still it returns nothing. Maybe at that specific minute, the forwarder did not send anything? is there like a duration in between 1 minute? There could be cases when the forwarder forwards data by 1m:15secs.

0 Karma

woodcock
Esteemed Legend

If you are not getting anything from host="host_name" | timechart span=1m count then there is nothing more to say. There is something wrong with your question or your search. The timechart based solution should work just fine.

0 Karma

maciep
Champion

Not knowing your role, just a quick note.... maybe you're not searching the desired indexes by default, so you can add index=* to your base search too. If you're literally not getting any results at all and you expect at least something, then that might be the issue.

0 Karma

woodcock
Esteemed Legend

Good point, fully qualify your search by adding index= and sourcetype= phrases and maybe it will work.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...