How to create an alert to trigger an email when a ...

athorat · ‎10-13-2015

We have a report which helps us to trigger an alert when the Indexer is down.
Is there a way we can monitor if the forwarder is stopped on the server which can send an email alert?

woodcock · ‎10-14-2015

Forwarders can be not forwarding for many reasons other than shutdown including a crash, which would not have a shutdown event or a network problem. Try this:

| metadata index=* type=hosts | eval latencySeconds=(recentTime-lastTime) | eval quietSeconds=(now()-recentTime) | fieldformat firstTime=strftime(firstTime, "%m/%d/%Y %H:%M:%S") | fieldformat lastTime=strftime(lastTime, "%m/%d/%Y %H:%M:%S") | eval indexTime=strftime(recentTime, "%m/%d/%Y %H:%M:%S")

The field quietSeconds tells you how long it has been since that forwarder sent any data to any indexer.

MuS · ‎10-13-2015

Hi athorat,

forward the _internal logs of the forwarder to the indexer and search like this:

index=_internal component=ShutdownHandler

This will list all shutdown events.

Basics about _internal forwarding can be found here http://docs.splunk.com/Documentation/Splunk/6.3.0/DistSearch/Forwardsearchheaddata
Yes, you can do the same on your forwarder.

Hope this helps ...

cheers, MuS

How to create an alert to trigger an email when a forwarder is stopped on a server?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation