Getting Data In

How to make a line chart that shows the up time of a forwarder?

allen_edmondso1
New Member

Hi,

We have a number of forwarders in our Splunk Enterprise. And I've been asked to chart the "uptime" of the forwarders in a monthly report. I've no idea how to do that.

I have made an alert to email me using the metadata command based on type=host if an index hasn't been received in the last 300 seconds. But I need a chart showing when it has been up or down...

Thanks
Allen

0 Karma
1 Solution

adamsaul
Communicator

allen_edmonson,

Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring

Adam

View solution in original post

0 Karma

adamsaul
Communicator

allen_edmonson,

Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring

Adam

0 Karma

adamsaul
Communicator

allenedmondson,

Glad it worked out for you!

0 Karma

allenedmondson
New Member

Thanks for your answers. I am not at work at the moment... so can't get the exact search. But it was based on one of the examples for the metadata command. @Somesoni2, can you give an example of the summery index data option? Say I am using only one index..
I will also look at the forwarder monitoring option when I get in to work....thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

When you use the metadata command, what index do you use? (or if you can provide your metadata command). One way would to be use a timechart command to see when there was an event appearing in (that) index from the host. This can be expensive based on which index is being used (how much data that index has). Other option would be setup a summary index to capture the trend/timechart data at frequent interval and chart based off summary index data (already summarized so will be optimal).

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

allenedmondson
New Member

This is the search that generates the alert if I don't see anything in the last 5 minutes:

| metadata type=hosts index=Exchange | convert ctime(RecentTime) as recent_Time | where lastTime < (now() - 300) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(recentTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(lastTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(firstTime)

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...