Getting Data In

How to make a line chart that shows the up time of a forwarder?

New Member

Hi,

We have a number of forwarders in our Splunk Enterprise. And I've been asked to chart the "uptime" of the forwarders in a monthly report. I've no idea how to do that.

I have made an alert to email me using the metadata command based on type=host if an index hasn't been received in the last 300 seconds. But I need a chart showing when it has been up or down...

Thanks
Allen

0 Karma
1 Solution

Communicator

allen_edmonson,

Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring

Adam

View solution in original post

0 Karma

Communicator

allen_edmonson,

Have you taken a look at "Settings" then the "Monitoring Console"? Enabling Forwarder Monitor will allow you to build these reports pretty quickly.
Splunk Docs :: Set up Forwarder Monitoring

Adam

View solution in original post

0 Karma

Communicator

allenedmondson,

Glad it worked out for you!

0 Karma

New Member

Thanks for your answers. I am not at work at the moment... so can't get the exact search. But it was based on one of the examples for the metadata command. @Somesoni2, can you give an example of the summery index data option? Say I am using only one index..
I will also look at the forwarder monitoring option when I get in to work....thanks.

0 Karma

SplunkTrust
SplunkTrust

When you use the metadata command, what index do you use? (or if you can provide your metadata command). One way would to be use a timechart command to see when there was an event appearing in (that) index from the host. This can be expensive based on which index is being used (how much data that index has). Other option would be setup a summary index to capture the trend/timechart data at frequent interval and chart based off summary index data (already summarized so will be optimal).

0 Karma

SplunkTrust
SplunkTrust
0 Karma

New Member

This is the search that generates the alert if I don't see anything in the last 5 minutes:

| metadata type=hosts index=Exchange | convert ctime(RecentTime) as recent_Time | where lastTime < (now() - 300) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(recentTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(lastTime) | convert timeformat="%d/%b/%Y %H:%M:%S" ctime(firstTime)

Thanks

0 Karma