Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create Alert for monitoring splunk forwarder that events is not fetched within the last 5 minutes

avni26
Explorer
‎07-08-2019 03:36 AM

Hello,
I have multiple scripts in each host which send availability,memory,space details of servers to splunk in every 5 minutes.
I want to create alert when there is no events within 5 minutes and sent the notification that forwarder is not working for "host".
Please help me with sample search.

I tried with below query, but its not working as per my requirement. Its not sending notification for host which has no events as for that host its showing " no result found". 

index="idx" sourcetype=scripts host IN (*) earliest=-5m@m latest=now
| bin span=5m _time | dedup host
| stats count as "event_count" by _time host| where event_count=0
0 Karma
Reply

woodcock
Esteemed Legend
‎07-28-2019 05:00 AM

This issue is not as clear-cut as you might imagine and has been solved dozens of ways. Everybody who uses splunk eventually gets around to asking this same question and solving it some how. Before you do anything else, I would look 3 of the best options.

1 Check out the Forwarding Monitoring features in the Monitoring Console (https://docs.splunk.com/Documentation/Splunk/latest/DMC/ForwardersDeployment)

2 Check out the Broken Hosts App for Splunk (https://splunkbase.splunk.com/app/3247/)

3 Check out the new functionality for this use-case in the soon-to-be released update of the Splunk Security Essentials app (https://splunkbase.splunk.com/app/3435/); maybe @dveuve_splunk will comment on this.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2019 06:56 AM

Hi avni26,
you have to create a lookup called e.g. perimeter.csv containing all the host to monitor (the hostname must be in a field called e.g. host), then runa search like this:

| metasearch index=_internal
| eval host=upper(host)
| stats count BY host
| append [ | inputlookup perimeter.csv host | eval count=0, host=upper(host) | fields host, count ]
| stats sum(count) AS Total BY host
| where Total=0

In this way if you have results, there are some hosts that aren't sending logs in the examined period.
You can generate an alert with this search or insert it in a dashboard panel.

Bye.
Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2019 05:24 AM

You're getting "No results found" either because your search finds no events for the stats command to count or because there are no missing forwarders (all event_count values are not zero).

This approach, however, is flawed because Splunk cannot search for something that is not there. A working search will compare a list of forwarders seen in the last 5 minutes with a list of all expected forwarders and report the expected forwarders not on the 'seen' list.

BTW, the Monitoring Console has a missing forwarder alert built-in. You can enable it or use it as a model.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

avni26
Explorer
‎07-10-2019 11:34 PM

@ richgalloway Thank you for your response.
Yes , but I can't enable missing forwarder alert built in E3. Wanted to get alert by query only.

Please suggest how to achieve when there is no events (splunk could not receive data) from xyz server for abc source.

Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-11-2019 05:14 AM

If you can't enable the built-in alert you can still use it as a model for your own query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...